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Abstract — We present a framework for fully-simulatable /i-out-of-n 
oblivious transfer (OT™) with security against non-adaptive malicious 
adversaries. The framework costs six communication rounds and costs 
at most 40n public-key operations in computational overhead. Com- 
pared with the known protocols for fully-simulatable oblivious transfer 
that works in the plain mode (where there is no trusted common 
reference string available) and proven to be secure under standard 
model (where there is no random oracle available), the instantiation 
based on the decisional Diffie-Hellman assumption of the framework is 
the most efficient one, no matter seen from communication rounds or 
computational overhead. 

Our framework uses three abstract tools, i.e., perfectly binding com- 
mitment, perfectly hiding commitment and our new smooth projective 
hash. This allows a simple and intuitive understanding of its security. 

We instantiate the new smooth projective hash under the lattice 
assumption, the decisional Diffie-Hellman assumption, the decisional N- 
th residuosity assumption, the decisional quadratic residuosity assump- 
tion. This indeed shows that the folklore that it is technically difficult to 
instantiate the projective hash framework under the lattice assumption 
is not true. What's more, by using this lattice-based hash and lattice- 
based commitment scheme, we gain a concrete protocol for OT™ which 
is secure against quantum algorithms. 

Index Terms — oblivious transfer (OT) protocols. 



1 Introduction 

1.1 Oblivious transfer 

OBLIVIOUS transfer (OT), first introduced by g9l and 
later defined in another way with equivalent effect 
[16[ by [18 1, is a fundamental primitive in cryptography 
and a concrete problem in the filed of secure multi-party 
computation. Considerable cryptographic protocols can 
be built from it. Most remarkable, (27), ED, ED, (56) 
proves that any secure multi-party computation can be 
based on a secure oblivious transfer protocol. In this 
paper, we concern a variant of OT, h-out-of-n oblivious 
transfer (OTfi). OT£ deals with the following scenario. 
A sender holds n private messages mi,TO2, • • • ,m n . A 
receiver holds h private positive integers ii,i2, ■ ■ ■ ,ih, 
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where i\ < i-2 < ■ ■ ■ < ih ^ n. The receiver expects to 
get the messages m.^ , m,i 2 , . . . , m,i h without leaking any 
information about his private input, i.e., the h positive 
integers he holds. The sender expects all new knowledge 
learned by the receiver from their interaction is at most 
h messages. Obviously, the OT most literature refer to is 
OTf and can be viewed as a special case of OT£. 

Considering a variety of attack we have to confront 
in real environment, a protocol for OT£ with security 
against malicious adversaries (a malicious adversary 
may act in any arbitrary malicious way to learn as much 
extra information as possible) is more desirable than 
the one with security against semi-honest adversaries 
(a semi-honest adversary, on one side, honestly does 
everything told by a prescribed protocol; on one side, 
records the messages he sees to deduce extra information 
which is not supposed to be known to he). Using Goldre- 
ich's compiler 11241 , 1271 , we can gain the former version 
from the corresponding latter version. However, the 
resulting protocol is prohibitive expensive for practical 
use, because it is embedded with so many invocations 
of zero-knowledge for NP. Thus, directly constructing 
the protocol based on specific intractability assumptions 
seems more feasible. 

The first step in this direction is independently made 
by I.44J and (TJ which respectively presents a two- 
round efficient protocol for OT^ based on the decisional 
Diffie-Hellman (DDH) assumption. Starting from these 
works and using the tool smooth projective hashing, 
11321 abstracts and generalizes the ideas of (TJ, |44l to 
a framework for OTj 2 . Besides DDH assumption, the 
framework can be instantiated under the decisional iV-th 
residuosity (DNR) assumption and decisional quadratic 
residuosity (DQR) assumption [32 [. 

Unfortunately, these protocols (or frameworks) are 
only half-simulatable not fully-simulatable. By saying a 
protocol is fully-simulatable, we means that the protocol 
can be strictly proven its security under the real /ideal 
model simulation paradigm. The paradigm requires that 
for any adversary in the real world, there exists a corre- 
sponding adversary simulating him in the ideal world. 
Thus, the real adversary can not do more harm than 
the corresponding ideal adversary does. Therefore the 
security level of the protocol is guaranteed not to be 
lower than that of the ideal world. Undesirably, a half- 



simulatable protocol for OT^ only provides a simulator 
in the case the receiver is corrupted such as [1], [44J or 
in the case the sender is corrupted such as [32|. 

Considering security, requiring a protocol to be fully- 
simulatable is necessary. Specifically a fully-simulatable 
protocol provides security against all kinds of attacks, 
especially the future unknown attacks taken by any 
adversary whose computational resource is fixed when 
constructing the protocol (generally, it is assumed that 
the adversaries run arbitrary probabilistic polynomial- 
time) [7], EH , while a not fully-simulatable protocol 
doesn't. For example, the protocols proposed by [1], 
[32], (44) suffer the selective-failure attacks, in which a 
malicious sender can induce transfer failures that are 
dependent on the messages that the receiver requests 



Constructing fully-simulatable protocols for OT with 
security against malicious adversaries naturally becomes 
the focus of the research community. |6J first presents 
such a fully-simulatable protocol. In detail, the OT is an 
adaptive h-out-n oblivious transfer (denoted by OTfi xl 
in related literature) and based on q-Power Decisional 
Diffie-Hellman and g-Strong Diffie-Hellman assump- 
tions. Unfortunately, these two assumptions are not stan- 
dard assumptions used in cryptography and seem signif- 
icantly stronger than DDH, DQR and so on. Motivated 
by basing OT on weaker complexity assumption, [28[ 
presents a protocol for OT£ using a blind identity-based 
encryption which is based on decisional bilinear Diffie- 
Hellman (DBDH) assumption. Using cut-choose tech- 
nique, [36J later presents two efficient protocols for fully- 
simulatable OTi respectively based on DDH assumption 
and DNR assumption, where the DDH-based protocol 
is the most efficient one among these fully-simulatable 
works. 

The protocols mentioned above are proved their se- 
curities in the plain stand-alone model which not nec- 
essarily allows concurrent composition with other arbi- 
trary malicious protocols. [48] overcomes this weakness 
and further the research by presenting a framework 
under common reference string (CRS) model for fully- 
simulatable, universally composable OTf and instan- 
tiating the framework respectively under DDH, DQR 
and worst-case lattice assumption. It is notable that 
conditioning on a trusted CRS is available, the DDH- 
based instantiation of the framework is the most efficient 
protocol for OT^ no matter seen from the number of 
communication rounds or the computational overhead. 
Recently, [20|, using a novel compiler and somewhat 
non-committing encryption they present, convert [48|'s 
instantiations based on DDH, DQR to the corresponding 
protocols with higher security level. In more detail, the 
resulting protocols for OT^ are secure against adaptive 
malicious adversaries, which corrupts the parties dy- 
namically based on his knowledge gathered so far. Note 
that, the fully-simulatable protocols for OT^ mentioned 
so far except the one presented by J6) are only secure 
against non-adaptive malicious adversaries, which only 



corrupts the parties preset before the running of the 
protocol. 

Though constructing protocols for fully-simulatable 
OTi with security against malicious adversaries has 
been studied well, constructing protocols for such OT^ 
hasn't. We note that there are some works aiming to ex- 
tend known cryptographic protocols to OT£. |42| shows 
how to implementation OT£ using logn invocation of 
OTi under half-simulation. A similar implementation 
for adaptive OT£ can be seen in 11431 . What's more, the 
same authors of [42J, [43 1 propose a way to transform a 
singe-server private-information retrieval scheme (PIR) 
into an oblivious transfer scheme under half-simulation 
too [45J. With the help of a random oracle, [30] shows 
how to extend k oblivious transfers (for some security 
parameter k) into many more, without much additional 
effort. However, the Random Oracle Model is risky. 
First, [10J shows that a scheme is secure in the Random 
Oracle Model does not necessarily imply that a particular 
implementation of it (in the real world) is secure, or even 
that this scheme does not have any "structural flaws". 
Second, [10J shows efficient implementing the random 
oracle is impossible. Later, [35 J finds that the random- 
oracle instantiations proposed by Bellare and Rogaway 
from 1993 and 1996, and the ones implicit in IEEE 
PI 363 and PKCS standards are weaker than a random 
oracle. What is worse, [35] shows that how the hash 
function defects deadly damages the securities of the 
cryptographic schemes presented in [4[, [5|. Therefore, in 
this paper, we only consider the schemes which are fully- 
simulatable and without turning to a random oracle. 
To our best knowledge, only [6| and [28| respectively 
present such fully-simulatable protocols for OT£- How- 
ever, the assumptions the former uses are not standard 
and the latter uses is too expensive. Therefore, a well- 
motivated problem is to find a protocol or framework 
for efficient, fully-simulatable, secure against malicious 
adversaries OT£ under weaker complexity assumptions. 

1.2 Our Contribution 

In this paper, we present a framework for efficient, 
fully-simulatable, secure against non-adaptive malicious 
adversaries 027" whose security is proven under stand 
model (i.e., without turning to a random oracle). To our 
best knowledge, this is the first framework for such OT'£. 
The framework have the following features, 

1) Fully-simulatable and secure against malicious ad- 
versaries without using a CRS. Il32l 's framework for 
OTi is half-simula table. Thought [48 J 's framework 
for OTi is fully-simulatable, it doesn't work with- 
out a CRS. What is more, how to provide a trusted 
CRS before the protocol run still is a unsolved 
problem. The existing possible solutions, such as 
natural process suggested by [48 J, are only con- 
jectures without formal proofs. The same problem 
remains in its adaptive version presented by [20 1. 
What is worse, 0, fTTl show that even given a 



authenticated communication channel, implement- 
ing a universal composable protocol providing 
useful trusted CRS in the presence of malicious 
adversaries is impossible. Therefore, considering 
practical use, our framework are better. 

2) Efficient. Compared with the existing protocols for 
fully-simulatable OT that without resorting to a 
CRS or a random oracle, i.e., the protocols pre- 
sented by [6], 128], [36], the DDH-based instantia- 
tion of our framework costs the minimum number 
of communication rounds and costs the minimum 
computational overhead. Please see Section l4~4l and 
Section |431 for the detailed comparisons. 

We admit that, in the context of a trusted CRS is 
available and only OTf is needed, the DDH-based 
instantiation of |4§1 is the most efficient one. 

3) Abstract and modular. The framework is described 
using just three high-level cryptographic tools, i.e., 
perfectly binding commitment (PBC), perfectly hid- 
ing commitment (PHC) and our new smooth pro- 
jective hash (denoted by SPHDHCt.h for simplic- 
ity). This allows a simple and intuitive understand- 
ing of its security. 

4) Generally realizable. The high-level cryptographic 
tools PBC, PHC and SPHDHC t , h are realizable 
from a variety of known specific assumptions, 
even future assumptions maybe. This makes our 
framework generally realizable. In particular, we 
instantiate SPHDHCt : h from the DDH assump- 
tion, the DNR assumption, the DQR assumption 
and the lattice assumption. Instantiating PBC or 
PHC under specific assumptions is beyond the 
scope of this paper. Please see [23], [26] for such 
examples. Generally realizability is vital to make 
the framework live long, considering the future 
progress in breaking a specific intractable prob- 
lem. If this case happen, replacing the instantiation 
based on the broken problem with that based on a 
unbroken problem suffices. 

What is more, we fix a folklore [36] that it appears 
technically difficult to instantiate the projective hash 
under lattice assumption by presenting a lattice-based 
SPHDHCt t h instantiation. It is notable that we gain 
an OT£ instantiation which is secure against quan- 
tum algorithms, using this lattice-based SPHDHCt,h 
instantiation and appropriate lattice-based commitment 
schemes. Considering that factoring integers and finding 
discrete logarithms are efficiently feasible for quantum 
algorithms [52]-[54|, this is an example showing the ben- 
efits from the generally realizability of the framework. 

As an independent contribution, we present several 
propositions/lemmas related to the indistinguishability 
of probability ensembles defined by sampling polyno- 
mial instances. Such propositions/lemmas simplify our 
security proof very much. We believe that they are as 
useful in security proof somewhere else as in this paper. 



1.3 Our Approach 

We note that the smooth projective hash is a good 
abstract tool. Using this tool, [32] in fact presents a frame- 
work for half-simula table OTf, [21] present a framework 
for password-based authenticated key exchange proto- 
cols. We also note that the cut-and-choose is a good 
technique to make protocol fully-simulatable. Using this 
tool, [36] present several fully-simulatable protocol for 
OTf, [37] presents a general fully-simulatable protocol 
for two-party computation. Indeed, we are inspired by 
such works. Our basic ideal is to use cut-and-choose 
technique and smooth projective hash to get a fully- 
simulatable framework. 

Loosely speaking, a smooth projective hash (SPH) is a 
set of operations defined over two languages L and L, 
where L P\ L = 0. For any projective instance i € L, 
there are two ways to obtain its hash value, i.e., the 
way using its hash key or the way using its projective 
key and its witness w. For any smooth instance x € L, 
there is only one way to obtain its hash value, i.e., the 
way using its hash key. The version of SPH presented 
by [32] (denoted by VSPHH for simplicity) holds a 
property called verifiable smoothness that can judge 
whether at least one of arbitrary two instances is smooth. 
Another property VSPHH holds, called hard subset 
membership, makes sure x and x are computationally 
indistinguishable. 

We observe that the VSPHH indeed is easy to be 
extended to deal with OT™ , but seems difficult to be 
extended to deal with the general OT£. The reason 
is that, to hold verifiable smoothness, is and is have 
to be generated in a dependent way. This makes the 
verifiable smoothness for multiple is and multiple is 
(i.e., judge whether at least n—hot arbitrary n instances 
are smooth) difficult to hold without leaking information 
which is conductive to distinguish such is and is. We 
also observe that, there is no way to construct a fully- 
simulatable framework using VSPHH, because there is 
no way to extract the real input of the adversary in the 
case that the receiver is corrupted. 

We define a new smooth projective hash called t- 
smooth /i-projective hash family that holds proper- 
ties distinguishability, hard subset membership, feasible 
cheating (denoted by SPHDHCt,h for simplicity). The 
key solution in SPHDHCtji to the mentioned problems 
is that requiring each i to hold a witness too. This solu- 
tion enables us to generate is and is in a independent 
way. Correspondingly, the verifiable smoothness is not 
needed any more and replaced by a property called 
distinguishability, which provides a way to distinguish 
is and is if their witnesses are given. 

Since the receiver encodes his input as a permutation 
of is and is, a simulator can the extract the real input of 
the adversary in the case that the receiver is corrupted if 
their witnesses are available. Combining the application 
of the technique cut-and-choose, a simulator can see such 
witnesses by rewinding the adversary. To extract the 



real input of the adversary in the case that the sender 
is corrupted, the property feasible cheating provides 
way to cheat out of the real input of the adversary. 
Naturally, all the properties and the correlated algorithm 
in SPHDHCt : h are extended to deal with n instances 
rather than only 2 instances. Please see Section l3l2l for a 
detailed comparison this new hash with previous hash 
systems. 

We show that constructing SPHDHCtji can be re- 
duced to constructing considerably simpler hash sys- 
tems. Our lattice-based SPHDHCt.h instantiation is 
builded on the lattice-based cryptosystem presented by 
11361 . It is noticeable that it appears difficult to get lattice- 
based instantiation for SPH [36]. Our solution is to let 
the instance x (x € L U L) be available to the algorithm 
that is responsible for generating pair of the hash key 
and the projective key. The other three intractability- 
assumption-based SPHDHCt : h instantiations can be ul- 
timately built from known SPH schemes such as that 
presented by [32 1 with necessary modifications. 

Using SPHDHCtji we construct the framework de- 
scribed with high-level as follows . 

1) The receiver generates hash parameters and appro- 
priate many instance vectors, then sends them to 
the sender after disordering each vector. 

2) The receiver and the sender cooperate to toss coin 
to decide which vector to be opened. 

3) The receiver opens the chosen instances, encodes 
his private input by reordering each unchosen vec- 
tor and sends the resulting code, which in fact is a 
sequence of permutations, to the sender. 

4) The sender checks that the chosen vectors are 
generated in the legal way which guarantees that 
the receiver learns at most h message. If the check 
pass, the sender encrypts his private input (i.e., 
the n messages he holds) using the hash values 
of the instances of the unchosen vectors in the way 
indicated by the code of receiver's private input, 
and sends the ciphertexts together with some auxil- 
iary information (i.e., the projective hash keys) that 
is conductive to decrypt some ciphertexts to the 
receiver. 

5) The receiver decrypts the ciphertexts with the help 
of the auxiliary information and gains the messages 
he expects. 

Intuitively speaking, the receiver's security is im- 
plied by the property hard subset membership of 
SPHDHCt.h- This property guarantees that the receiver 
can securely encode his private input by reordering each 
unchosen instance vector. The sender's security is im- 
plied by the cut-and-choose technique, which guarantees 
that the probability that the adversaries controlling a cor- 
rupted receiver learns extra new knowledge is negligible. 

1.4 Organization 

In Section [2j we describe the notations used in this 
paper, the security definition of OT£, the definition of 



commitment scheme. In Section [3[ we define our new 
hash system, i.e., SPHDHCt.h- In Section HJ we con- 
struct our framework. In Section[5j we prove the security 
of the framework. In Section [6[ we reduce constructing 
SPHDHCt.h to constructing considerably simpler hash 
systems. In Section[7J we instantiate SPHDHCt.h under 
the lattice, DDH, DNR, DQR assumptions, respectively. 

2 Preliminaries 

Most notations and concepts mentioned in this section 
originate from Q, [23), l24l which are basic literature 
in the filed of secure multi-party computation (SMPC). 
We tailor them to the need of dealing with OT h l . 

2.1 Basic Notations 

We denote an unspecified positive polynomial by poly {.). 
We denote the set consists of all natural numbers by N. 

def 

For any i e N, [i] = {1,2,...,?}. We denote the set 
consists of all prime numbers by P. 

We denote security parameter used to measure secu- 
rity and complexity by k. A function u(.) is negligible 
in k, if there exists a positive constant integer no, for 
any poly(.) and any k which is greater than no (for 
simplicity, we later call such k sufficiently large k), it 
holds that (x{k) < \/poly(k). A probability ensemble 

X = {X(l k ,a)}keN,ae{Q,i}' is an infinite sequence of 
random variables indexed by (k,a), where a represents 
various types of inputs used to sample the instances 
according to the distribution of the random variable 
X(l k ,a). Probability ensemble X is polynomial-time 
constructible, if there exists a probabilistic polynomial- 
time (PPT) sample algorithm Sx(-) such that for any a, 
any k, the random variables Sx(l >o) and X(l k ,a) are 
identically distributed. We denote sampling an instance 
according to X(l k ,a) by a «- Sx(l k ,a). 

Let X = {^(l fe ,a)}fceN,ae{o,i}* and 
{y(l fc ,a)}fegN,ae{o,i}* be two probability ensembles. 
They are computationally indistinguishable, denoted 
X = Y, if for any non-uniform PPT algorithm D with 
an infinite auxiliary information sequence z = (zfe)fcgK 
(where each Zk G {0, 1}*), there exists a negligible 
function u(.) such that for any sufficiently large k, any 
a, it holds that 

\Pr{D(l k ,X(l k ,a),a,z k ) = l)- 

Pr{D(l k ,Y(l k ,a),a,z k ) = 1)| < /*(*) 

They are same, denoted X = Y, if for any sufficiently 
large k, any a, X(l k ,a) and Y(l k ,a) are defined in the 
same way. They are equal, denoted X = Y, if for any 
sufficiently large k, any a, the distributions of X(l k ,a) 
and Y(l k , a) are identical. Obviously, if X = Y then X = 
Y; If X = Y then X = Y. 

Let cc be a vector (note that arbitrary binary string can 
be viewed as a vector). We denote its i-tb element by 
x(i), denote its dimensionality by #x, denote its length 
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in bits by |af|. For any positive integers set I, any vector 
X, x(I) = (x(i)) iehl < #3 . 

Let M be a probabilistic (interactive) Turing machine. 
By M r (.) we denote M's output generated at the end of 
an execution using randomness r. 

Let / : D -> R. Let D 1 C {0, 1}*. Then f(D') d = 
{f(x)\x <=D>n D}, Range(f) ^ f(D). 

Let x £ x Y denotes sampling an instance x from do- 
main Y according to the distribution law (or probability 
density function ) x- Specifically, let a: Ejj Y denotes 
uniformly sampling an instance x from domain Y. 



2.2 Security Definition Of A Protocol For OT]l 

2.2. 1 Functionality Of OT£ 

OT'H involves two parties, party P\ (i.e., the sender) 
and party P2 (i.e., the receiver). OTfi's functionality is 
formally defined as follows 



/:Nx{0,l}*x{0,l}* 



f(l k ,m,H) = 



{0,1}* x {0,1}* 
(X,m{H)) 



where 



• k is the public security parameter. 

• m € ({0, 1}*)™ is Pi's private input, and each |m(i)| 
is the same. 

. H e * d = {B\B C [n], #P = h} is P 2 's private 
input. 

• A denotes a empty string and is supposed to be got 
by Pi. That is, Pi is supposed to get nothing. 

• fh{H) is supposed to be got by P 2 . 

Note that, the length of all parties' private input have 
to be identical in SMPC (please see [24] for the reason 
and related discussion). This means that \m\ = \H\ is 
required. Without loss of generality, in this paper, we 
assume \m\ = \H\ always holds, because padding can be 
easily used to meet such requirement. 

Intuitively speaking, the security of OTft requires that 
Pi can't learn any new knowledge — typically, P 2 's 
private input, from the interaction at all, and P 2 can't 
learn more than h messages held by Pi. To capture the 
security in a formal way, the concepts such as adver- 
sary, trusted third party, ideal world, real world were 
introduced. Note that the security target in this paper is 
to be secure against non-adaptive malicious adversaries, 
so only concepts related to this case is referred to in the 
following. 

2.2.2 Non-Adaptive Malicious Adversary 

Before running 02}", the adversary A has to corrupt all 
parties listed in I C [2]. In the case that U e {Pi,P2} 
is not corrupted, U will strictly follow the prescribed 
protocol as an honest party. In the case that party U is 
corrupted, U will be fully controlled by A as a corrupted 
party. In this case, U will have to pass all his knowledge 
to A before the protocol runs and follows A's instructions 
from then on — so there is a probability that U arbitrarily 



deviates from prescribed protocol. In fact, after A finishes 
corrupting, A and all corrupted parties have formed a 
coalition led by A to learn as much extra knowledge, 
e.g. the honest parties' private inputs, as possible. From 
then on, they share knowledge with each other and 
coordinate their behavior. Without loss of generality, 
we can view this coalition as follows. All corrupted 
parties are dummy. A receives messages addressed to the 
members of the coalition and sends messages on behalf 
of the members. 

Loosely speaking, we say OT£ is secure, if and only if, 
for any malicious adversary A, the knowledge A learns 
in the real world is not more than that he learns in the 
ideal world. In other words, if and only if, for any mali- 
cious adversary A, what harm A can do in real world is 
not more than what harm he can do in the ideal world. 
In the ideal world, there is an incorruptible trusted third 
party (TTP). All parties hand their private inputs to TTP. 
TTP computes / and sends back f(.)(i) to P;. In the real 
world, there is no TTP, and the computation of /(.) is 
finished by A and all parties' interactions. 

2.2.3 OT£ In The Ideal World 

In the ideal world, an execution of OT£ proceeds as 
follows. 

Initial Inputs. All entities know the public security 
parameter k. P\ holds a private input m € ({0,1}*)". 
Party P 2 holds a private input H £ ^. Adversary A 
holds a name list I C [2], a randomness ta € {0, 1}* and 
an infinite auxiliary input sequence z = (zk)ke$i/ where 
Zk £ {0,1}*. Before proceeds to next stage, A corrupts 

parties listed in / and learns X\I), where x = (fh,H). 

Submitting inputs to TTP. Each honest party P; always 
submits its private input x{i) unchanged to TTP. A 
submits arbitrary string based on his knowledge to TTP 
for the corrupted parties. The string TTP receives is a 
two-dimensional vector y which is formally described 
as follows. 

\x(i) Hi 
VW = S 



I 

Hie I 



where a e {x(i}} U {0,1} |2WI U {aborU} and a <- 
A(l k 7 I 7 rA 7 Zk 7 x(I)). Obviously, there is a probability 
that x ^ y. 

TTP computing /. TTP checks that yis a valid input to 
/, i.e., no entry of y is of the form aborti. If y passes the 
check, then TTP computes / and sets w to be f(l k ,y). 
Otherwise, TTP sets w to be (aborti, aborti). Finally, for 
each i e [n] TTP hands w(i) to each Pi respectively and 
halts. 

Outputs. Each honest party Pi always outputs the 
message w(i) it obtains from the TTP. Each corrupted 
party P, outputs nothing (i.e., A). The adversary outputs 
something generated by executing arbitrary function of 
the information he gathers so far. Without loss of gener- 
ality, this can be assumed to be (l fc , I, ta, Zk, x{I),w{I)). 



The output of the whole execution in the ideal world, 
denoted by Ideal fjA( Zk )(\ k ,m,H), is defined by the out- 
puts of all parties and that of the adversary as follows. 



i = 0: 



Ideal LA{z) j{l k ,x,r A )(i) 

A's output, i.e., (l k ,I,rA, 
def J z k ,S(I),w(I}), 

Pi's output, i.e., A, ieJ; 

Pi's output, i.e., w(i), i € [n] — I. 

Obviously, Idealf } A(z),iO- i&) is a random variable 
whose randomness is ta- 

2.2.4 OT% In The Real World 

In the real world, there is no TTP. A execution of OT£ 

proceeds as follows. 

Initial Inputs. Initial input each entity holds in the real 
world is the same as in the ideal world but there are 
some difference as follows. A randomness fj is held by 
each party P L . After finishes corrupting, in addition to 
the knowledge A learns in ideal world, the corrupted 

parties' randomness r(I) is also learn by A, where f = 
(ri,r 2 ). 

Computing /. In the real world, computing / is 
finished by all entities' interaction. Each honest party 
strictly follows the prescribed protocol (i.e., the concrete 
protocol, usually denoted 7r , for OT£). The corrupted 
parties have to follow A's instructions and may arbitrar- 
ily deviate from prescribed protocol. 

Outputs. Each honest party Pi always outputs what 
the prescribed protocol instructs. Each corrupted party 
Pi outputs nothing. The adversary outputs something 
generated by executing arbitrary function of the in- 
formation he gathers so far. Without loss of general- 
ity, this can be assumed to be a string consisting of 
l k ,I,rA,r(I),Zk,x(I) and messages addressed to the 
corrupted parties. 

The output of the whole execution in the real world, 
denoted by i?eaZ 7T ./^( Zfc )(l fc ,m, H, rA,r), is defined by 
the outputs of all parties and that of the adversary as 
follows. 

RealTr,i,A(z k ) (l fc , m, H, r A , f) (i) 

' A's output, i.e., (l fe , /, r Al ■ _ n . 



def 



f(I) 1 z k ,x(I),msg I ) 1 
= ^ P(s output, i.e., A, 

P^s output, i.e., what 
instructed by it, 



i £ I; 

i £ [n] - I. 



Obviously, Real^j ,A(z k )(^ k , rh, H) is a random variable 
whose randomnesses are ta and r. 

2.2.5 Security Definition 

The security of a protocol for OT£ is formally captured 

by the following definition. 

Definition 1 (The security of a protocol for OT£). Let 

f denotes the functionality of OTfi and let n be a concrete 



protocol for OT^. We say tt securely computes /, if and only if 
for any non-uniform probabilistic polynomial-time adversary 
A with an infinite sequence z = (zk)keK in the real world, 
there exists a non-uniform probabilistic expected polynomial- 
time adversary A' with the same sequence in the ideal world 
such that, for any I C [2], it holds that 



{Realirj } A(z h ){l ;"ij-ff)}fceIN,mG({0,l}*)™ = 

«-£*,** e{o,i}* 

{Idealfj t A'(zi,)0- !"ii#)}fceiN,me({o,i}*)' 1 (1) 

K*,2 k e(o,i)* 

where the parameters input to the two probability ensembles 
are same and each m(i) is of the same length. The adversary 
A' in the ideal world is called a simulator of the adversary A 
in the real world. 

The concept, non-uniform probabilistic expected 
polynomial-time, mentioned in Definition [T] is formu- 
lated in distinct way in distinct literature such as |8], 
1 23]. We prefer to the following definition |33|, because 
it is clearer in formulation and more closely related to 
our issue. 

Definition 2 (Mi runs in expected polynomial- 
time with respect to M 2 ). Let Mi,M 2 be two in- 
teractive Turing machines running a protocol. By < 
Mi(xi,ri, zi),M 2 (x2,r 2 , z 2 ) > (l k ), we denote a running 
which starts with Mi holding a private input Xi, a randomness 
r ir an auxiliary input z%, the public security parameter k. By 
IDN Ml (< Mi(xi,ri, zi), M 2 (x 2l r 2l z 2 ) > (l fe )), we denote 
the number of total direct deduction steps Mi takes in the 
whole running. We say Mi runs in expected polynomial-time 
with respect to M 2 , if and only if there exists a polynomial 
poly(.) such that for every k e IN, it holds that 

max({E Rl! R 2 (IDN Ml (< Mi(xi,Ri,Zi), 

M 2 {x 2 ,R 2 ,z 2 )>(l k )))\ 
\xi\ = \x 2 \ = k,zi,z 2 e {0,1}*}) <poly{k) 

where Ri , R 2 are random variables with uniform distribution 
over {0, 1}*. 

For Definition [TJ it in fact requires that adversary A's 
simulator A' should run in expected polynomial-time 
with respect to TTP who computes OTfi's functionality 

We point out that the security definition presented in 
[7], [23], |24] requires the simulator A' to run in strictly 
polynomial-time, but the one presented in [8], [36 1, [37] 
allow A' to run in expected polynomial-time. Definition 
[T] follows the latter. We argue that this is justified, since 
[3J shows that there is no (non-trivial) constant-round 
zero-knowledge proof or argument having a strictly 
polynomial-time black-box simulator, which means al- 
lowing simulator to run in expected polynomial-time 
is essential for achieving constant-round protocols. See 
[33] for further discussion. 



2.3 Commitment Scheme 

In this section, we briefly introduce the cryptographic 
tool commitment scheme which will be used in our 
framework. For the strict definition and the details, 
please see (23) or 11261 . 

Definition 3 (commitment scheme, non-strict descrip- 
tion, [23|, |26|). A commitment scheme is a two-party 
protocol involving two phases. 

• Initial Inputs. At the beginning, all parties know the pub- 
lic security parameter k. The unbounded sender P\ holds 
a randomness n € {0, 1}*, a value m e {0, l}P°^( fc ) to 
be committed to, where the polynomial poly{.) is public. 
The PPT receiver P 2 holds a randomness r 2 € {0, 1}*. 

• Commit Phase. Pi computes a commitment, denoted a, 
based on his knowledge, i.e., a <— P\{l k ,m, r\), then Pi 
send a to P 2 . 

- The security for Pi is implied by the property compu- 
tationally hiding, which prevents P 2 from knowledge 
of the value committed by Pi . That is, for any PPT 
P 2 , any m 1 ,m 2 G {0, l}P° l v( k ), it holds that 

{ViewCp 2 {< Pi(m),P 2 > (l fc ))} fce w 



{ViewCp 2 {< Pi{m'),P 2 > (l fe ))} fe 



6H, 



where ViewCp 2 (.) denotes P 2 's view in commit 
phase. 

• Reveal Phase. Pi computes and sends a de-commitment, 
which typically consists of m, r\, to P 2 to let P 2 know 
m. Receiving de-commitment, P 2 checks its validity. 
Typically P 2 checks that a = Pi(l k ,m,ri) holds. If de- 
commitment pass the check, P 2 knows and accepts ra. 

- The security for P 2 is implied by the property 
perfectly binding, which guarantees that for any 
unbounded Pi, any mi,m 2 <E {0, l}P°^( fe ) such 
that mi 7^ m 2 , the probability that P 2 accepts 
m 2 while Pi commits to mi is zero, where the 
probability is taken only over the randomness used 
by P 2 . 

The above definition defines perfectly binding com- 
mitment schemes (denoted by PBC). Relaxing the prop- 
erty binding to allow the probability of successful cheat 
of unbounded Pi to be negligible, then the above def- 
inition defines statically binding commitment schemes. 
Correspondingly, in the setting that Pi is PPT and P 2 
is unbounded, there exists perfectly hiding commit- 
ment schemes (denoted by PHC) and statically hid- 
ing commitment schemes, which provide perfectly hid- 
ing and statically hiding to Pi respectively, and only 
computationally binding to P 2 . If a property is secure 
against unbounded adversaries, we say this property is 
information-theoretically secure. We remark that there 
is no commitment scheme holding both information- 
theoretically binding and information-theoretically hid- 



3 A New Smooth Projective Hash - 

SPHDHC t , h 

3.1 The Definition Of SPHDHC t j t 

In this section, we define a new smooth projective hash 
— t-smooth /i-projective hash family that holds proper- 
ties distinguishability, hard subset membership, feasible 
cheating, denoted SPHDHCt,h for simplicity, which will 
be used to construct our framework for OT^. In section 
[7j we instantiate SPHDHCt,h respectively under four 
distinct intractability assumptions. 

Let us recall some related works before defining 
SPHDHCt.h- [12 [, [55[ present the classic notation 
of "universal hashing". Based on "universal hashing", 
lH5l first introduces the concept of universal projective 
hashing, smooth projective hashing and hard subset 
membership problem in terms of languages and sets. 
In order to construct a framework for password-based 
authenticated key exchange, [21] modifies such defini- 
tion to some extent. That is, smoothness is defined over 
every instance of a language rather than a randomly 
chosen instance. [32| refines the modified version in 
terms of the procedures used to implement it. What is 
more, a new requirement called verifiable smoothness is 
added to the hashing so as to construct a framework for 
OTi. The resulting hashing is called verifiablely-smooth 
projective hash family that has hard subset membership 
property (denoted by VSPHH for simplicity). Note 
that, the framework presented by [32] is not fully- 
simulatable. The difference between SPHDHC t ,h and 
the works mentioned above will be under a detailed 
discussion after we define SPHDHCt,h- 

For clarity in presentation, we assume n = h + t 
always holds and introduce additional notations. Let 

de f 

R = {(x,w)\x,w e {0,1}*} be a relation, then L R — 
{x\x € {0,l}*,3w((x,w) G R)}, R{x) d = {w\(x,w) € R}. 

def 

II = {7r|7r : [n] — > [n],w is a permutation}. Let n € II (to 
comply with other literature, we also use it somewhere 
to denote a protocol without bringing any confusion). 
Let x be an arbitrary vector. By tt(x), we denote a vector 
resulted from applying 7r to x. That is, y = tt(x), if and 
only if Vi(i e [d] -> x(i) = y(n(i))) A \/i{i £ [d] -» x(i) = 

def _ 

y(i)) holds, where d = mm(#x,n). 

Definition 4 (t-smooth /i-projective hash family 
that holds properties distinguishability, hard 
subset membership and feasible cheating). 
H = (PG,IS,DI,KG,Hash,pHash,Cheat) is an 
t-smooth h-projective hash family that holds properties 
distinguishability, hard subset membership and feasible 
cheating (SPHDHC t ,h), if and only if % is specified as 
follows 

• The parameter-generator PG is a PPT algorithm that 
takes a security parameter k as input and outputs a 
family parameter A, i.e., A <— PG{l k ). A will be used 
as a parameter to define three relations Ra, R-a and R\, 
where R\ = RaU Ra. Moreover, Ra n Ra = are 
supposed to hold. 



• The instance-sampler IS is a PPT algorithm that takes a 
security parameter k, a family parameter A as input and 
outputs a vector 3, i.e., 3 <— IS(l k , A). 

Let 3= {(xi,wi), . . . ,(xh,Wh),(xh+i,Wh+i),- ■ ■ , 
(x n ,w n )) T be a vector generated by IS. We call each ii 
or £i an instance of Lr a . For each pair (xi,Wi) (resp., 
(xi,Wi)), ihi (resp., u>i) is called a witness of x% € L^ 
(resp., oti G Lfc ). Note that, by this way we indeed, 
have defined the relationship Ra,Ra and R\ here. The 
properties smoothness and projection we will mention 
later make sure R\ n Ra = holds. 
For simplicity in formulation later, we introduce 
some additional notations here. For 3 mentioned 
above, x a = (xi, . . . ,Xh,x h +i, ■ ■ ■,x n ) T , 

w a = (wi,...,Wh,Wh+i,---,w„) T . What is more, 
we abuse notation e to some extent. We write 
x <s Range(IS(l k ,A)) if and only if there exists a 
vector x a such that x a = x and a € Range(IS(l k , A)). 
We write x e Range(IS(l k ,A)) if and only if there 
exists a vector x such that x e Range(IS(l k ,A)) and 
x is an entry of x. 

• The distinguisher DI is a PPT algorithm that takes a 
security parameter k, a family parameter A and a pair 
strings (x, w) as input and outputs an indicator bit b, 
i.e.,b^DI(l k ,A,x,w). 

• The key generator KG is a PPT algorithm that takes 
a security parameter k, a family parameter A and an 
instance x as input and outputs a hash key and a 
projection key, i.e., (hk,pk) <— KG(l k , A,x). 

• The hash Hash is a PPT algorithm that takes a security 
parameter k, a family parameter A, an instance x and a 
hash key hk as input and outputs a value y, i.e., y <— 
Hash(l k ,A,x,hk). 

• The projection pHash is a PPT algorithm that takes a 
security parameter k, a family parameter A, an instance 
x, a witness w of x and a projection key pk as input and 
outputs a value y, i.e., y <— pHash(l k ,A,x,pk,w). 

• The cheat Cheat is a PPT algorithm that takes a se- 
curity parameter k, a family parameter A as input and 
outputs n elements of Ra, i.e., ((ii,wi), . ■ . (x n , w n )) «- 
Cheat(l k ,A). 

and % has the following properties 

1) Projection. Intuitively speaking, it requires that for any 
instance x e Lji A , the hash value of x is obtainable with 
the help of its witness w. That is, for any sufficiently 
large k, any A <G Range(PG{l k )), any (x, w) generated 
by IS(l k ,A),any (hk,pk) € Range(KG(l k ,A,x)), it 
holds that 

Hash(\ k ', A, x, hk) — pHash(l k , A, x,pk, w) 

2) Smoothness. Intuitively speaking, it requires that for any 
instance vector x € L * H , the hash values of x are ran- 
dom and unobtainable unless their hash keys are known. 
That is, for any n G II, the two probability ensembles 

Sm 1 = {Sm 1 (l k )} keK and Sm 2 = {Sm 2 {l k )} keK , 
defined as follows, are computationally indistinguish- 
able, i.e., Sm\ = Sm2- 



SmGe ni (l k ): A < 
for each j e [n] 
KGJl k ,A,x(j)), 



- PG(l k ), 3 <- IS(l k , A), x f- x s , 
operates as follows: (hkj,pkj) <— 
y-j <— Hash(l k , A, x(j),hkj), 



xpky(j) <— (x(j},pkj,yj). Finally outputs (A,xpky). 
SmGen.2(l k ): compared with SmGeni(l k ), the only 
difference is that for each j e [n] — [h], yj <Eu 
Range(Hash(l k , A, x(j), .)). 



Smi(l k ): (A,xpky) 



SmGerii(l k ), xpky 



ir(xpky), finally outputs (A, xpky). 
3) Distinguishability. Intuitively speaking, it requires that 
the DI can distinguish the projective instances and 
smooth instances with the help of their witnesses. That 
is, it requires that the DI correctly computes the follow- 
ing function. 



(:lx({0,l}f- 

f° 

C(l k ,A,x,w) = ll 

[ undefined 



{0,1} 

if (x,w) e Ra, 
if (x,w) e Ra, 
otherwise . 



4) Hard Subset Membership. Intuitively speaking, it re- 
quires that for any x e Range(IS(l k ,A)), x can 
be disordered without being detected. That is, for any 

def 

n e II, the two probability ensembles HSMi = 

{fl-SMi(l fc )} fc€M and HSM 2 d = f {HSM 2 {l k )} k£m 
specified as follows, are computationally indistinguish- 
able, i.e., HSNh = HSM 2 . 

HSAh{l k ): A <- PG(l k ), a <- I S \l k , A) , finally 
outputs (A,x a ). 

HSM 2 {l k ): Operates as same as HSMi(l k ) with an 
exception that finally outputs {A,ir(x a )). 

5) Feasible Cheating. Intuitively speaking, it requires that 
there is a way to cheat to generate a x which is supposed 



to fall into L h - x L*» but actually falls into L n - 



Ra 



Ra 



Ra 



without being caught. That is, for any n € II, for 
any w' € II, the two probability ensembles HSM 2 

and HSM 3 d = {HSM 3 (l k )} keK are computationally 
indistinguishable, i.e., HSM 2 = HSM 3 , where HSM 2 
is defined above and HSM 3 is defined as follows. 
HSM 3 (l k ):A <- PG(l k ), a <- Cheat(l k ), finally 

outputs (A,7r'(x s )). 

Remark 5 (The Witnesses Of The Instances). The main 
use of the witnesses of an instance x e L^ A is to project 
and gain the hash value of x. In contrast, with respect to an 
instance x e L^ A , it services as a proof of x e ^_r a - The 
property distinguishability guarantees that given the needed 
witness, the projective instances and the smooth instances are 
distinguishable. For OT£, this means that a receiver can use 
the witnesses of x to persuade a sender to believe that the 
receiver is unable to gain the hash value of x. 

Remark 6 (Hard Subset Membership). The property 
hard subset membership guarantees that for any x G 
Range(IS(l k ,A)), any -k € II, any PPT adversary A, the 
advantage of A identifying an entry of it (x) falling into L^ 
(resp., Lji ) with probability over prior knowledge h/n (resp., 



t/n) is negligible. That is, seen from A, every entry of tt(x) 
seems the same. 

With respect to OT£, this means that the receiver can 
encode his private input into a permutation of a vector 
x G L\ K without leaking any information. For example, if 
the receiver expects to gain m(H), then he may generates 
a x and randomly chooses a permutation it € H such that 
w(x){i) G Lj^ a for each i G H. Any PPT adversary knows 
no new knowledge about H if only given ir(x). 

However, if the witnesses of the instances of x are available 
(the simulator can gain the witnesses by rewinding the adver- 
sary), then the receiver's input is known. Therefore, there is 
way for the simulator to extract the real input of the adversary 
controlling the corrupted receiver. 

Remark 7 (Feasible Cheating). In our framework for OT£, 
the sender uses the hash values of the instances generated by 
the receiver to encrypt its private inputs. The property feasible 
cheating makes cheating out of the sender's all private inputs 
feasible. Note that, this is a key for the simulator to extract the 
real inputs of the adversary controlling the corrupted sender. 
Therefore, it is conductive to construct a fully-simulatable 
protocol for 0T£. 

3.2 The Difference Between SPHDHC t , h And Re- 
lated Hash Systems 

Now we discuss the difference between our 
SPHDHCt.h and related hash systems previous 
works present or use. For simplicity, we only compare 
our SPHDHC t ,h with the hash system VSPHH which 
is presented by l32l . We argue that this is justified, 
on the one hand, the version of [32^ is the version 
holding most properties among previous works. On 
the other hand, the aim of [32] is the closest to ours. 
They aim to construct a framework for OTf which 
actually is half-simulatable, while we aim to establish a 
fully-simulatable framework for OT£. 

Loosely speaking, our SPHDHCt.h can be viewed 
as a generalized version of VSPHH. Indeed, VSPHH 
resembles SPHDHCi.i very much and can be converted 
into SPHDHCi^i though some modification is needed. 
The essential differences are listed as follows. 

1) The key difference is that, besides each projective 
instance i holding a witness w, SPHDHCt : h also 
requires each smooth instance i to hold a witness 
w. 

2) To deal with OT™, SPHDHC t , h extends the IS 
algorithm to generate h is and f is in a invoca- 
tion. As a natural result, SPHDHCt.h extends the 
property smoothness to hold with respect to t xs, 
and extends the property hard subset membership 
to hold with respect to h is and t xs. 

3) In VSPHH there exists a instance test IT algo- 
rithm that takes two instances as input and outputs 
a bit indicating whether at least one of the two in- 
stances is smooth, i.e., b <— IT(xi,x 2 ). SPHDHCt.h 
discards this verifiability of smoothness and the 
correlated IT, and instead provides a distinguisher 



DI algorithm which is conducive to apply the 
technique cut-and-choose. 

4) SPHDHCt.h requires a additional property feasi- 
ble cheating and the necessary algorithm Cheat. 
This property provides a simulator with a way to 
extract the real inputs of the adversary in the case 
that the sender is corrupted. 

5) SPHDHCtM extends KG algorithm such that the 
information of the instance is available to it. This 
makes constructing hash system easier. In indeed, 
this makes lattice-based hash system come true 
which is thought difficult by [36J. 

We observe that the VSPHH indeed is easy to be 
extended to deal with OT™ , but seems difficult to be 
extended to deal with the general OTf L . The reason is 
that, to hold verifiable smoothness, is and is have to 
be generated in a dependent way. This makes designing 
IT dealing with n instances without leaking informa- 
tion which is conductive to distinguish such is and is 
difficult. Therefore, even constructing a framework for 
OT£ that is half-simulatable as |32[ seems impossible. 
We also observe that, there is no way to construct a fully- 
simulatable framework using VSPHH, because there is 
no way to extract the real input of the adversary in the 
case that the receiver is corrupted. 

The difficulties mentioned above can be overcame by 
requiring each i to hold a witness too. Since the receiver 
encodes his input as a permutation of is and is, a 
simulator can the extract the real input of the adversary 
in the case that the receiver is corrupted if their witnesses 
are available. Combining the application of the technique 
cut-and-choose, a simulator can see such witnesses by 
rewinding the adversary. What is more, the implemen- 
tation of DI is easier than that of its predecessor IT. 
Because the operated object essentially is a pair of the 
form (x, w) which is simpler than (xi, . . . ,x n ) which is 
the general form of the objects operated by IT. 

4 Constructing A Framework For 
Fully-simulatable OT% 

In this section, we construct a framework for OTJ^. In 
the framework, we will use a PPT algorithm, denoted T 
, that receiving B\,B 2 G \E r / outputs a uniformly chosen 
permutation it Gj/ II such that ir{B\) — B>2, i.e., n <— 
T(Bi,B 2 ). We give an example implementation of T as 
follows. 

T(B 1 ,B 2 ): First, E «- 0, C «- [n]-Bi. Second, for each 
j G B 2 , then i Gy B lt B 1 4- B x - {i}, £^£U{jV i}. 
Third, D 4- [n] — B 2 , for each j G D, then i <Eu C, C 4- 
C — {i}, E 4— EU {j ^ i}. Fourth, define tt as ir{i) = j if 
and only if j ^ % £ E. Finally, outputs it. 

4.1 The Framework For OT h l 

• Common inputs: All entities know the public se- 
curity parameter k, an positive polynomial poly s (.), 
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a SPHDHCt^h (where n = h + t) hash sys- 
tem H, a information-theoretically hiding commit- 
ment scheme (denoted by IHC), a information- 
theoretically binding commitment scheme (denoted 
by IBC). 

• Private Inputs: Party Pi (i.e., the sender) holds a 
private input fh G ({0,1}*)™ and a randomness 
ri G {0,1}*. Party Pi ( i.e., the receiver) holds a 
private input H G & and a randomness ri G {0, 1}*. 
The adversary A holds a name list / C [2] and a 
randomness r^ G {0, 1}*. 

• Auxiliary Inputs: The adversary A holds an infinite 
auxiliary input sequence z = (zk)ke~w, Zk G {0, 1}*. 

The protocol works as follow. For clarity, we omit 
some trivial error-handlings such as P\ refusing to send 
Pi something which is supposed to be sent. Handling 
such errors is easy. Pi halting and outputting aborti 
suffices. 

• Receiver's step (Rl): Pi generates hash parameters 
and samples instances. 

1) Pi samples poly s (k) instance vectors. Let 
K d = f poly s (k). P 2 does: A <- PG(l k ); 
for each i G [K], a, <- 7S(l fe ,A). With- 
out loss of generality, we assume a, = 
((±i,wi), . . . , (x h ,w h ), (xh+i,Wh+i), ■•-, 
(x n ,w n )) T . 

2) P 2 disorders each instance vector. 

For each i G [K], Pi uniformly chooses a 
permutation irj G u II, then a, <— wj (Si ) . 

3) Pi sends the instances and the corresponding 
hash parameters, i.e., (A, x\, x 2 , . . . , Xk), to P\, 

where Si = x a * (correspondingly, Wi = w ai ). 

. Receiver's step (R2-R3) /Sender's step (S1-S2): P x 
and Pi cooperate to toss coin to choose instance 
vectors to open. 

1) Pi: s eu {0, 1} K , sends IHC(s) to P 2 . 

2) Pi. ft eu {0, 1} K , sends IBC(s') to Pi. 

3) P\ and Pi respectively sends each other the de- 
commitments to IHC(s) or IBC(s'), and re- 
spectively checks the received de-commitments 
are valid. If the check fails, P\ (Pi respectively) 
halts and outputs aborti (aborti respectively). 
If no check fails, then they proceed to next step. 

4) Pi and Pi share a common randomness r = 
sQ)s' . The instance vectors whose index fall into 

de f 

CS = {i\r(i) = l,i G [K]} (correspondingly, 
CS = [K] — CS) are chosen to open. 

• Receiver's step (R4): Pi opens the chosen instances 
to Pi, encodes and sends his private input to Pi. 

1) Pi opens the chosen instances to prove that the 
instances he generates are legal. 

P 2 sends ((i,j,Wi(j))) ieC s.je.h to p i, where 
Ji = {j\xi{j) G L R ^,j g [n]}. 

2) Pi encodes his private input and sends the 
resulting code to Pi. 



Let Gj d = {j\xi(j) G L^ A ,i e CS}. For each 
i G CS, Pi does nf «- T(Gi, H), sends (7rf) i6 cs 
to Pi. That is, Pi encode his private input into 
sequences such as 7if (a?,) where i G CS. 

Note that P 2 can send ((i,j,Wi{j))) i£ cs,j£Ji and 

( 7r ?) 4 ecs in one ste P- 

• Sender's step (S3): Pi checks the chosen instances, 

encrypts and sends his private input to Pi. 

1) Pi verifies that each chosen instance vectors is 
legal, i.e., the number of the entries belonging 
to L^ is not more than h. 

Pi checks that, for each i G CS, j^Ji > n — h, 
and for each j e J ir VF(l k ,A,Si(j),Wi(j)) is 1. 
If the check fails, Pi halts and outputs aborti, 
otherwise Pi proceeds to next step. 

2) Pi reorders the entries of each unchosen in- 
stance vector in the way told by Pi. 

For each i g CS, Pi does Si <— 7if (afj). 

3) Pi encrypts and sends his private input to Pi 
together with some auxiliary messages. 

For each i G CS, j G [n], Pi does: (hkij 7 pkij) <— 

KG(l k ,A,S t (j}),^ <- Hash(l k , K,~Si(j)Ma), 
fa d = (Pa,Pn, . . . , A„) T ,c <- m © (® ie csPi), 
pki = (pkii,pkn, ■ ■ ■ ,pk in ) T , sends c and 

(Pki) ie cs to p 2- 

• Receiver's step (R5): Pi decrypts the ciphertext c 
and gains the message he want. 

For each i G CS, j G H, P 2 operates: $• <— 

piJas/i(l' c ,A,f J (j),pfc J (j),w i 0')), m! j <- c(j) © 
(®iecsP'ij)- Finally, P 2 gains the messages (m'j)j^H- 



4.2 The Correctness Of The Framework 

Now let us check the correctness of the framework, i.e., 
the framework works in the case that Pi and Pi are 
honest. For each i G CS, j G H, we know 

c{j) = m{j) © (® ie csPi{j)) 
m'j = Z(j)®(® ie csP'ij) 

Because of the projection of H, we know 

So we have 

rn(j) = rrij 

This means what Pi gets is m(H) that indeed is Pi 
wants. 

4.3 The Security Of The Framework 

With respect to the security of the framework, we have 
the following theorem. 

Theorem 8 (The protocol is secure against the malicious 
adversaries). Assume that % is an t-smooth h-projective 



hash family that holds properties distinguishability, hard sub- 
set membership and feasible cheating, IHC is a information- 
theoretically hiding commitment, IBC is a information- 
theoretically binding commitment. Then, the protocol securely 
computes the oblivious transfer functionality in the presence 
of non-adaptive malicious adversaries. 

We defer the strick proof of Theorem [8] to section [5] and 
first give an intuitive analysis here as a warm-up. For the 
security of P\, the framework should prevent P 2 from 
gaining more than h messages. Using cut and choose 
technique, Pi makes sure with some probability that 
each instance vector contains no more than h projective 
instance, which leads to Pi learning extra messages is 
difficult. The following theorem guarantees that this 
probability is overwhelming. 

Theorem 9. Assume that the commitment schemes employed 
in the framework are a perfectly hiding commitment and a 
perfectly binding commitment. Then, in case that P\ is honest 
and P 2 is corrupted, the probability that P 2 cheats to obtain 
more than h messages is at most l/2 polys ( k \ 

Proof: According to the framework, there are two 
necessary conditions for P 2 's success in the cheating. 

1) P 2 has to generate at least one illegal Xi which 
contains more than h entries belonging to L^ .If 
not, Pi cann't correctly decrypt more than h entries 
of c, because of the smoothness of W. Without loss 
of generality, we assume the illegal instance vectors 
are xi t , xi 2 , . . . , xi d . 

2) All illegal instance vectors are lucky not to be 
chosen and all the instance vectors unchosen 
just are the illegal instance vectors, i.e., CS = 
{h, h, ■ ■ ■ , Id}- We prove this claim in two case. 

a) In the case that CS =/= {h,fa,---,ld} and CS — 
{h, h, • • • ,ld} = 0, there exists j(j e [d] A lj £ 
CS). So Pi can detect P 2 's cheating and P 2 
will gain nothing. 

b) In the case that CS ^ {h,h, ■ ■ • ild} and 
CS - {h,k,---,ld} + 0/ there exists j(j e 
CS A Xj is legal). Because of the smoothness 
of T-L, Pi cannot correctly decrypt more than h 
entries of c. 

Now, let us estimate the probability that the second 
necessary condition is met. Note that, IHC(s) is a per- 
fectly hiding commitment, IBC(s') is a perfectly binding 
commitment, and Pi is honest, so the shared randomness 
r is uniformly distributed. We have 



Pr(CS = {h,li,...,l d }) 



(l/2) d (l/2) po ^ s(fc) - d 



This means that the probability that Pi cheats to obtain 
more than h messages is at most l/2 polVs ^ k \ □ 

From the proof of Theorem |9J it is easy to see that if 
the commitment schemes employed are the ones with 
statically properties, the probability that P 2 cheats to 
obtain more than h messages is negligible too, since the 



upper-bound of this probability deviates l/2 polv "( k > at 
most negligible distance. 

For the security of Pi, the framework first should 
prevent Pi from learning Pi's private input. There is 
a potential risk in Step R4 where Pi encodes his pri- 
vate input. From Remark [6j we know that hard subset 
membership guarantees that for any PPT malicious Pi, 
without being given irj, the probability that Pi learns 
any new knowledge is negligible. Thus Pi's encod- 
ing is safe. Besides cheating P 2 of private input, it 
seems there is another obvious attack that malicious Pi 
sends invalid messages, e.g. pkij which {hkij,pkij) ^ 
Range(KG(l k , A, x l0 )), to P 2 . This attack in fact doesn't 
matter. Its effect is equal to that of Pi's altering his real 
input, which is allowed in the ideal world too. 

4.4 The Communication Rounds 

Step Rl and Step R2 can be taken in one round. Step R5 
is taken without communication. Each of other steps is 
taken in one round. Therefore, the total number of the 
communication rounds is six. 

Compared with existing fully-simulatable protocols 
for oblivious transfer that without resorting to a random 
oracle or a trusted common reference string (CRS), our 
protocol is the most efficient one. On counting the total 
communication rounds of a protocol, we count that 
of the modified version. In the modified version, the 
consecutive communications of the same direction are 
combined into one round. The protocol for OT£ xl of 
||6) costs one, two zero-knowledge proofs of knowledge 
respectively in initialization and in transfer a message, 
where each zero-knowledge proofs of knowledge is per- 
formed in four rounds. The whole protocol costs at least 
ten rounds. The protocol for OT£ of |28] costs one zero- 
knowledge proof of knowledge in initialization which 
is performed in three rounds at least, one protocol to 
extract a secret key corresponding to the identity of a 
message which is performed in four rounds, one zero- 
knowledge proof of knowledge in transfer a message 
which is performed in three rounds at least. We point out 
that the interactive proof of knowledge of a discrete log- 
arithm modulo a prime, presented by [51] and taken as a 
zero-knowledge proof of knowledge protocol in |28J, to 
our best knowledge, is not known to be zero-knowledge. 
However, turning to the techniques of S-protocol, [14J 
make it zero-knowledge at cost of increment of three 
rounds in communication, which in turn induces the 
increment in communication rounds of the protocol of 
[28J. Taking all into consideration, this protocol costs at 
least ten rounds. The protocol for OTf of [36J costs six 
rounds. 

4.5 The Computational Overhead 

We measure the computational overhead of the frame- 
work in terms of the number of public key operations 
(i.e., operations based on trapdoor functions, or similar 
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operations) , because the overhead of public key op- 
erations, which depends on the length of their inputs, 
is greater than that of symmetric key operations (i.e., 
operations based on one-way functions) by orders of 
magnitude. Please see [38J to know which cryptographic 
operation is public key operation or private key opera- 
tion. 

As to the framework, the public key operations are 
Hash(.) and pHash{.), and the symmetric key operations 
are IHC{.) and IBC{.). In Step S3, P x takes n ■ #~CS 
invocations of Hash(.) to encrypt his private input. In 
Step R5, P2 takes h ■ #C5 invocations of pHash{.) to 
decrypt the messages he want. The value of #CS is 
poly s (k), poly s (k)/2, respectively, in the worst case and 
in the average case. Thus, fixing the problem we tackle 
(i.e., fixing the values of n and h), the efficiency only 
depends on the value of poly s (k). In Section [5] where we 
strictly prove the security of the framework, we'll see 
that in the case that only P 2 is corrupted, our simulator 
doesn't consider a situation in the real world that arises 
with probability at most l/2 polv "( k >. Therefore, setting 
poly s {k) = 40 is secure enough to use our framework in 
practice. In the worst case the computational overhead 
mainly consists of 40n invocations of Hash() taken by 
Pi and 40ft. invocations of pHashQ taken by P^', in 
the average case the computational overhead mainly 
consists of 20n invocations of Hash() taken by P\ and 
20/i invocations of pHashQ taken by P%. 

We point out that, our simulator also may fail (with 
negligible probability) in the case that P\ is corrupted, 
but the probability of this event arising depends on the 
computational hiding of IBC and on the computational 
binding of IHC rather than the value of poly s (k) and has 
no influence on computational overhead. So we don't 
need to take this case into consideration here. 

Compared with existing fully-simulatable protocols 
for oblivious transfer that without resorting to a random 
oracle or a trusted CRS, our DDH-based instantiation 
that will be presented in Section 17.11 is the most efficient 
one in computational overhead. The operations of the 
protocol in |6| are based on the non-standard assump- 
tions, i.e., g-Power Decisional Diffie-Hellman and q- 
Strong Diffie-Hellman (q-SDH) assumptions, which both 
are associated with bilinear groups. [13J indicates that q- 
SDH-based operations are more expensive that standard- 
assumption-based operations. The operations of the pro- 
tocol in 1 28 1 are based on Decisional Bilinear Diffie- 
Hellman (DBDH) assumption. Since bilinear curves are 
considerably more expensive than regular Elliptic curves 
[19 1 and DDH is obtainable from Elliptic curves, the 
operations in [6], [28] are considerably more expensive 
than that DDH-based operations. Therefore, our DDH- 
based instantiation are more efficient than the protocols 
presented by [6|, [28]. The DDH-based protocol for OI\ 2 
presented by [36] also are very efficient. However, it can 
be viewed as a specific case of our framework, thought 
some modification of the protocol is needed. 

We have to admit that, in the context of a trusted CRS 



is available and only OTf is needed, [48] 's DDH-based 
instantiation, which is two-round efficient and of two 
public key encryption operations and one public key 
decryption operation, is the most efficient one, no matter 
seen from the number of communication rounds or the 
computational overhead. 

5 A Security Proof Of The Framework 

We prove Theorem [8] holds in this section. For nota- 
tional clarity we denote the entities, the parties and the 
adversary in the real world by P\, P^, A, and denote 
the corresponding entities in the ideal world by P[, P' 2 , 
A'. In the light of the parties being corrupted, there are 
four cases to be considered and we prove Theorem [8] 
holds in each case. For simplicity, we assume that the 
commitment schemes employed are a perfectly binding 
commitment scheme and a perfectly hiding commitment 
scheme. If the statically ones are employed, the proof can 
be done in the same way with a slight modification. 

We don't know how to construct a strictly polynomial- 
time simulator for the adversary in the real world, in the 
case that only Pi or P 2 is corrupted. Instead, expected 
polynomial-time simulators are constructed (see section 
12.21 for the justification), which results in a failure of 
standard black-box reduction technique. Fortunately, the 
problem and its derived problems can be solved using 
the technique given by 1261 . 

5.1 In the case that Pi Is Corrupted 

In the case that P\ is corrupted, A takes the full control 
of P\ in the real world. Correspondingly, A's simulator, 
A', takes the full control of P{ in the ideal world, where 
A' is constructed as follow. 

de f 

• Initial input: A' holds the same k, I = {1}, z = 
(zfc)fceiN/ as A. What is more, A' holds a uniform 
distributed randomness ta' € {0, 1}*. The parties P[ 
and P\, whom A' and A respectively is to corrupt, 
hold the same m. 

• A' works as follows. 

- Step Sml: A' corrupts P[ and learns P['s private 
input to. Let A be a copy of A, i.e., A = A. A' 
use iasa subroutine. A' fixes the initial inputs 
of A to be identical to his except that fixes the 
randomness of A to be a uniformly distributed 
value. A' activates A, and supplies A with rh 
before A engages in the protocol for OT£. 

In the following steps, A' builds an environment 
for A which simulates the real world. That is, A' 
disguises himself as Pi and P2 at the same time 
to interact with A. 

- Step Sm2: A 1 uniformly chooses a randomness 
r Eu {0,1} K (K d = poly s (k)) as the shared 
randomness. Let CS and CS be the sets decided 
by r. For each i e CS, A' honestly generates 
the hash parameters and instance vectors. For 
each i e CS, A' calls Cheat(l k ) to generate such 
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parameters and vectors. A' sends these hash 
parameters and instance vectors to A. 
Remark 10. From the remark® we know that each 
entry of the instance vector generated by Cheat(l k ) 
is projective. If such instance vectors are not chosen 
to be open, then the probability of A detecting this 
fact is negligible, and A' can extract the real input 
of A, which is we want. 

- Step Sm3: A! plays the role of P2 and executes 
Step R2-R3 of the framework to cooperate with 
A to toss coin. When tossing coin is completed 
successfully, A' learns and records the value s 
A commits to. 

Remark 11. The aim of doing this tossing coin is 
to know the randomness s A choses. What A' will 
do next is to take IBC(r s) as his commitment to 
redo tossing coin. 

- Step Sm4: A' repeats the following proce- 
dure, denoted T, until A correctly reveals the 
recorded value s. 

T: A' rewinds A to the end of Step SI of the 
framework. Then, taking IBC 1 (r © s) as his 
commitment, A' executes Step R2 and R3 of 
the framework, where 7 is a fresh randomness 
uniformly chosen. 

- Step Sm5: Now A' and A shares the common 
randomness r. A' executes Step R4 of the frame- 
work as the honest P^ do. On receiving c and 
(pki)i£cg, A' correctly decrypts all entries of c 
and gains A's full real private input m. Then A' 
sends m to the TTP_. 

- Step Sim6: When A halts, A' halts with out- 
putting what A outputs. 

Without considering Step Sim4, A' is polynomial-time. 
However, taking Step Sim4 into consideration, this is 
not true any more. Let q(a), p(a) respectively denotes 
the probability that A correctly reveals his commit 

ment in Step Sim3 and in Procedure T, where a = 
(l k ,Zk,I,m,r^). Then, the expected times of repeating 
T in Step Sim4 is q(a)/p(a). Since the view A holds 
before revealing his commitment in Step Sim3 is different 
from that in procedure T, q(a), p(a) are distinct. What 
the computational secrecy of IBC guarantees and only 
guarantees is \q(a) — p(a)\ = p(.). However, there is a 
risk that q(a)/p(a) is not bound by a polynomial. For 
example, q(a) = l/2 fc , p(a) — l/2 2fe , which result in 
q(a)/p(a) — 2 fc . This is a big problem and gives rise 
to many other difficulties we will encounter later. 

Fortunately, [ 26 1 encounters and solves the same prob- 
lem and its derived problem as ours. In a little more 
details, [26J presents a protocol, in which Pi, P^ re- 
spectively sends a perfectly hiding commitment, a per- 
fectly binding commitment, and the corresponding de- 
commitments to each other as the situation of tossing 
coin of our framework. To prove the security in the case 
that P\ is corrupted, [26 [ constructs a simulator in the 
same way as ours and encounters the same problem as 



def 



ours. 

Using the idea of [26|, we can overcome such problem 
too. Specifically, an expected polynomial-time simula- 
tor can be obtained by replacing Step Sim4 with Step 
SimA.l, SimA.2 given as follow. 

• Step SimA.l: A' estimates the value of q(a). A' 
repeats the following procedure, denoted $, until 
the number of the time of A correctly revealing his 
commitment is up to poly(k), where poly(.) is a big 
enough polynomial. 

$: A' rewinds A to the end of Step SI of the 
framework and A' honestly executes Step R2 and 
R3 of the framework to interact with it. 
Denote the number of times that $ is repeated by 

def 

d, then q(a) is estimated as q(a) = poly(k)/d. 

• Step Sim4.2: A' repeats the procedure T. In case A 
correctly reveals the recorded value s, A' proceeds 
to the next step. In case A correctly reveals a value 
which is different from s, A' outputs ambiguityi and 
halts. In case the number of the time of repeating 
T exceeds the value of poly(k)/q(a), A' outputs 
timeout and halts. 

Proposition 12. The simulator A 1 is expected polynomial- 
time. 

Proof. Conditioning on Step SirnAA is executed, the 
expected value of d is poly(k)/q(a). Choosing a big 
enough poly(.), q(a) is within a constant factor of q(a) 
with probability 1 — 2 poly ( k \ Therefore, the expected 
running time of A', 

ExpTimeA' < Time Sim i + Time S i m 2 + Time S im3 
+ q(a) • (Time® ■ poly(k)/q(a)+ 
Time-r ■ poly(k)/q(a)) 
+ Timesimb + TimesimG 

, is bounded by a polynomial. □ 

What is more, we have 

1) The probability that A' outputs timeout is negligi- 
ble. 

2) The probability that A' outputs ambiguityi is neg- 
ligible. 

3) The output of A' in the ideal world and the output 
of A in the real world are computationally indis- 
tinguishable, i.e., 

{Ideal f^ tA ^ Zk ){l ,™,#)(l)}fc e iN : me({o,i}T = 

He$,z t g{o,i}* 

)(1 ,m,if)(l)} fee]NjAe ({o,i}*)" (2) 
.ffe*,z fc e{o,i}* 

Since the propositions above can be proven in the 
same way as [26[, we don't iterate such details here. 

Proposition 13. In the case that P\ was corrupted, i.e., I = 
{1}, the equation H) required by Definitional] holds. 

Proof: First let us focus on the real world. A's real 
input can be formulated as 7 <— A(l k , m, z-^^ta^ ?"i). Note 
that in this case, P2 's output is a determinate function of 



{Real^, 



{i},A( Zfc )l 
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A's real input. Since A's real input is in its view, with- 
out loss of generality, we assume A's output, denoted 
a, constains its real input. Therefore, P 2 's output is a 
determinate function of A's output, where the function 



is 



9(a) 



{aborti if 7 = aborti 
1(H) 



7 
otherwise. 



ief 



Let h(a) = (a, A, g(ct)). Then we have 

Real^ t{1} . A ( Zk )(l k ,m, H) = 

h(Real„ i{ i } , Aizh) (l k ,m, P)(0)) 
Similarly, in the ideal world, we have 

Ideal f ^ {1 y A , {zk) (l k ,rh,H) = 

h(Ideal fdlhA , {zk) {l k ,m,H)(0)) 

We use = not = here because there is a negligible 
probability that A' outputs timeout or ambiguityi, which 
makes h(.) undefined. 

Let X(l k ,rh,H,z k ,{l}) d = f 

Pe< {lM(zfe) (l'%m,P)(0), Y(l k ,m,H,z k ,{l}) = f 
I deal f .{!} t Aif Zk \(l k ,m, H)(Q). Following equation ©, 

X = Y. Let F = (h)keN- What is more, assume 
that A' runs in a strictly polynomial-time. According 
to Proposition [20] we will present in Section the 
proposition holds. 

In fact, A' doesn't run in strictly polynomial-time, 
which results in a failure of above standard reduction. 
Fortunately, this difficulty can be overcome by truncating 
the rare executions of A' which are too long, then 
applying standard reduction techniques. Since the details 
is the same as |26], we don't give them here and please 
see 1261 for them. □ 



5.2 In the case that P 2 Is Corrupted 

In the case that P 2 is corrupted, A takes the full control 
of P 2 in the real world. Correspondingly, A' takes the 
full control of P' 2 in the ideal world. We construct A' as 
follows. 

def 

• Initial input: A' holds the same k, I = {2}, z = 
(zfc)fceK as A, and holds a uniformly distributed 
randomness r A ' € {0, 1}*. The parties P' 2 and P 2 
hold the same private input H. 

• A 1 works as follows. 

- Step Siml: A' corrupts P'^ and learns P^'s pri- 
vate input H. A' takes A's copy A as a subrou- 
tine, fixes A's initial input, activates A, supplies 
A with H, builds an environment for A in the 
same way as A' does in the case that P\ is 
corrupted. 

- Step Sim2: Playing the role of P\, A' honestly ex- 
ecutes the sender's steps until reaches Step S3. 3. 
If Step S3. 3 is reached, A 1 records the shared 
randomness r and the messages, denoted rasg, 



which he sends to A. Then A' proceeds to next 
step. Otherwise, A' sends aborti to TTP, outputs 
what A outputs and halts. 

- Step Sim3: A' repeats the following procedure, 
denoted S, until the hash parameters and the 
instance vectors A sends in Step Rl passes the 
check. A' records the shared randomness f, the 
messages A sends to open the chosen instance 
vectors. 

S: A' rewinds A to the beginning of Step R2, and 
honestly follows sender's steps until reaches 
Step S3. 3 to interact with A. 
Note that, in each repeating S, the value A' com- 
mits to and the randomness used to generate the 
commitment in Step SI are fresh and uniformly 
chosen. 

- Step Sim4: 

1) In case r = f, A' outputs failure and halts; 

2) In case r =^ r A Vi(r(i) ^ r(i) — >• r(i) = 1 A 
r(i) = 0), A 1 runs from scratch; 

3) Otherwise, i.e., in case r^f A 3i(r(i) = A 
f(i) = 1), A' records the first one, denoted e, 
of these is and proceeds to next step. 

Remark 14. The aim of Step Sim3 and Sim4 is to 
prepare to extract the real input of A. If the third 
case happens, then A' knows each entry of x e he 
sees in Step Siml belong to L^ or L^ . What 

is more, x e is indeed a legal instance vector. This is 
because x e passes the check executed by A 1 in Step 
Sim3. Combing n^ received in Step Siml, A' knows 
the real input of A. 

Note that, A's initial input is fixed by A' in Step 
Siml. So receiving the same messages, A responds 
in the same way. Therefore, rewinding A to the 
beginning of Step R2, sending the message sent in 
Step Siml, A' can reproduce the same scenario as he 
meets in Step Siml. 

- Step Sim5: A' rewinds A to the beginning of 
Step R2 of the framework, and sends msg pre- 
viously recorded to A in order. According to the 
analysis of Remark [14J A' can extract A's real 
input H' . A' does so and sends H' to TTP and 
receives message m(H'). 

- Step Sim6: A' constructs m! as follows. For each 
i E H' , in' (i) <— m(i). For each i ^ H' , fn'(i) Ejj 
{0, 1}*. Playing the role of Pi and taking fh! as 
his real input, A' follows Step S3. 3 to complete 
the interaction with A. 

- Step Sim6: When A halts, A' halts with out- 
putting what A outputs.. 

Note that S doesn't simulate a situation in the real 
world that A cheats Pi of more than h message. For- 
tunately, Theorem [9] guarantees that this situation arises 
with probability at most l/2 polys ^ and so can be ig- 
nored. 

Proposition 15. The simulator A' is expected polynomial- 
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time. 

Proof: First, let us focus on Step Sim3. In each 
repetition of 3, because of the perfectly hiding of IHC{.), 
and the uniform distribution of the value A! commits to, 
the chosen instance vectors are uniformly distributed. 
This lead to the probability that A passes the check in 
each repetition is the same. Denote this probability by p. 
The expected time of Step Sim3 is 

ExpTimesim3 = (1/p) ' Times 

Under the same analysis, the probability that A passes 
the check in Step Sim2 is p too. Then, the expected time 
that A' runs once from Step Siml to the beginning of 
Step Sim4 is 

OncExpTimesimi-^Simi < Time S i m \ + Timesim2 

+ p ■ ExpTimesiraS 
= Timesirni + Timesi m 2 
+ Times, 

Second, let us focus on Step Sim4, especially the case 
that A' needs to run from scratch. Note that the initial 
inputs A! holds is the same in each trial. Thus the 
probability that A' runs from scratch in each trial is 
the same. We denote this probability by 1 — q. Then 
the expected time that A' runs from Step Siml to the 
beginning of Step Sim5 is 

ExpTime S iml^Sim5 < (1 + l/q) 

• {OncExpTimesimi^simi 

+ Timesimi) 

= (1 + I/?) ' {Time Siml + 

Timesi m 2 + Times + Timesimi) 

The reason there is 1 here is that A' has to run from 
scratch at least one time in any case. 

The expected running time of A! in a whole execution 
is 

ExpTimeA' < ExpTimesimi^Sim5 + Timesimb 
+ Timesims 

= (1 + 1/q) ■ (Timesimi + Time Sim2 (3) 
+ Times + Timesimi) 
+ Time Sim 5 + Time Sim6 

Third, let us estimate the value of q, which is the 
probability that A' does not run from scratch in a trial. 
We denote this event by C. It's easy to see that event 
C happens, if and only if one of the following events 
happens. 

1) Event B happens, where B denotes the even that 
A' halts before reaching Step Sim3. 

2) Event B happens and R = R, where R and R 
respectively denotes the random variable which is 
defined as the shared randomness A! gets in Step 
Sim2 and Step Sim3. 

3) Event B happens and there exists i such that R(i) = 
OAR(i) = 1 . 



So 

q =Pr(C) 
=Pr(B) + Pr(B n R = R) 

+ Pr(Bn3i(R{i} = 0AR{i) = l)) (4) 

=Pr(B) + Pr(B) ■ (Pr(R = R\B) 
+ Pr(3i{R(i) = A R{i) = 1)\B)) 

Let S 1 = f {(r,f)|(r,f) e ({0,l}^) 2 ,r = ?}, S 2 = f 
{(r,f)|(r,f) e ({0, l} K ) 2 ,r ^ r,Vi(r(i) + f(i) -> r(i) = 

lAf<«) - 0)}, S 3 = f {(r,f)|(r,f) e ({0,l} K ) 2 ,r ? 
f, 3i(i G [K] A r(i) = A r(i) = 1)}. It is easy to see that 
Si, S2, S3 constitute a complete partition of ({0, 1} K ) 2 
and #5i = 2 K , #5 2 = #5 3 = (2* • 2 K - 2 K )j2. 

Because of the perfectly hiding of IHC(.), and the 
uniform distribution of the value A' commits to, R and 
R are all uniformly distributed. We have 



Pr(R = R\B) = #5i/#({0, 1} K ) 2 = 1/2 



•>K 



(5) 



and 



K\2 



(6) 



Pr(3i(R(i) = A R(i) = \)\B) = #5 3 /#({0, 1} K ) 

= 1/2 - 1/2 K+1 
Combining equation (|4), © and (|6), we have 

q = Pr{B) + Pr(B)(l/2 + 1/2 A ' +1 ) 
= 1/2 + 1/2 A ' +1 + (1/2 - l/2 K+1 )Pr(B) (7) 

> 1/2 

Combining equation (|3) and (0, we have 

ExpTimeA' < 3(Times tm i + Time Sirn 2 
+ Times + Timesimi) 
+ Timesimb + Time S im& 

which means the expected running time of A' is bound 
by a polynomial. □ 

Lemma 16. The probability that A' outputs failure is less 
than \J2 K - 1 . 

Proof: Let X be a random variable defined as the 
number of the trials in a whole execution. From the proof 
of Proposition [15J we know two facts. First, Pr(X = i) = 
(1 — qf~ 1 q < l/2 l_1 . Second, in each trial the event A' 
outputs failure is the combined event of B and R = R, 
where the combined event happens with the following 
probability. 

Pr(B n .R = R)= Pr(B)Pr(R = R\B) < Pr(R = R\B) 

Combining equation (|5), this probability is not more than 
1/2 A . Therefore, the probability that A' outputs failure 
in a whole execution is 

00 00 

J2 Pr(X = i)Pr{B nR = R)< (1/2 K ) • J] 1/2 4 - 1 



1/2 



K-l 
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Lemma 17. The output of the adversary A in the real 
world and that of the simulator A' in the ideal world are 
computationally indistinguishable, i.e., 

{i?eaZ Ti { 2 },yi( Zfc )(l fe , fn, ■fl r )(0)}kew,iae({o,i}*) n = 

-ffe*,2 fc e{o,i}* 

{Idealf^ 2 },A'(z h )(^ !^)-ff)(0)}feew,jSe({o,i}*)™ 

He^,z k e{o,i}* 

Proof: First, we claim that the outputs of A' and A 
are computationally indistinguishable. The only point 
that the output of A' is different from that of A is A' 
may outputs failure. Since the probability that this point 
arises is negligible, our claim holds. 

Second, we claim that the outputs of A and A are 
computationally indistinguishable. The only point that 
the view of A is different from that of A is that the 
ciphertext A receives is generated by encrypting to' 
not to. Fortunately, SPHDHCt : h's property smoothness 
guarantees that the ciphertext generated in the two 
way are computationally indistinguishable. Therefore, 
our claim holds. 

Combining the two claims, the proposition holds. □ 

Proposition 18. In the case that P2 was corrupted, i.e., I = 
{2}, the equation iTJ) required by Definition\l\holds. 

Proof: Note that the honest parties P\ and P[ end 
up with outputting nothing. Thus, the fact that the out- 
puts of A' and A are computationally indistinguishable, 
which is supported by Lemma [TZl directly prove this 
proposition holds. □ 

5.3 Other Cases 

In the case that both Pi and P2 are corrupted, A takes 
the full control of the two corrupted parties. In the ideal 
world, a similar situation also holds with respect to A', 
P[ and P' 2 . Liking in previous cases, A' uses ^4's copy, 
A, as a subroutine and builds a simulated environment 
for A. A' provids A with P{ and P^'s initial inputs 
before A engages in the protocol. When A halts, A' halts 
with outputting what A outputs. Obviously, A' runs in 
strictly polynomial-time and the equation 1Q} required 
by Definition Q] holds in this case. 

In the case that none of P\ and P2 is corrupted. The 
simulator A' is constructed as follows. A' uses A, Pi, 
P2 as subroutines, where A, P\, P2, respectively, is the 
copy of A, Pi and P2. A' fixes A's initial inputs in the 
same way as in previous cases. A' chooses an arbitrary 
to e ({0,1}*)™ and a uniformly distributed random- 
ness fi as Pi's initial inputs. A' chooses an arbitrary 
H G \E r and a uniformly distributed randomness fa 
as iVs initial inputs. A' actives these subroutines and 
make the communication between i\ and P2 available 
to A. Note that, in the case that none of Pi and Pi is 
corrupted, what adversaries can see in real life only is the 
communication between honest parties. When A halts, 
A' halts with outputting what A outputs. Obviously, A' 
runs in strictly polynomial-time and the equation |T) 
required by Definition [l] holds in this case. 



6 How To Construct SPHDHC t , h Easily 

SPHDHCt.h holds so many properties that constructing 
it from scratch is not always easy. In this section, we 
reduce constructing SPHDHCt^h to constructing seem- 
ingly simpler hash systems. A idea naturally arising is 
that generating the instances independently in essence 
to obtain the required properties. We keep this idea in 
mind to proceed to construct SPHDHCt,h- 

6.1 Smoothness 

In this section, we describe how to obtain smoothness for 
a hash family. First, we introduce a lemma from ll24ll . 

Lemma 19 ( ED). Let X = f {X(l fc , a )} fceW , ae{(U} , 

and Y = {Y(l k ,a)} fce]N . ae {o.i}. be two polynomial-time 
constructible probability ensembles, and X = Y, then 



X = Y 



<-!<!' 



where X =' {X(l k ,a)} keti , X(l k ,a) d = f 



aeiO.l}* 

r,(l\a) 



(X l (l k ,a)) ze[poly{k)] , each Xi(l k ,a) = X(l k ,a), 
Y= f {Y(l k ,a)} feeN ,Y(l k ,a) = f (Yi(l k ,a)) i€lpoly{k)] , 

ae{0,l}* 

each Yi(l k ,a) = Y{l k ,a), and all A^(l*», r,(l' £ ,a) are 
independent. 

Proposition 20. Let X = {^(l fe ,a)}fe e ]N,ae{o,i}* an & 
Y f = {^(l fe , a )}feeK,ae{o.i}* be two polynomial-time con- 
structible probability ensembles, X = Y, F = (f k ) k e¥>, 
fk ■ {0, 1}* — > {0, 1}* is polynomial-time computable, then 

F(X) = F(Y) 



def 



def 



where F(X) = J {/ fe (X(l fe ,a))} fceK , ae{0 ,i } „P(F) = J 

{fk(Y{l ,a))} fce]Niae {o,i}*- 

Proof: Assume the proposition is false, then there ex- 
ists a non-uniform PPT distinguisher D with an infinite 
sequence z = (z k ) ke ^, a polynomial poly(.), an infinite 
positive integer set GCI such that, for each k e G, it 
holds that 

\Pr(D(l k ,z k7 aJ k (X(l k ,a))) = l)- 

Pr(D(l k ,z k7 a,f k (Y(l k 7 a))) = 1)| > l/poly(k) 

We construct a distinguisher D' with an infinite se- 
quence z = (zfc)fc e w for the ensembles X and Y as 
follows. 

D'(l k ,z k ,a,~/): 5 <- f k (~/), finally outputs 
D(l k ,z k ,a,6). 

Obviously, D , (l k ,z k ,a,X(l k 1 a)) 

D(l k ,z k ,aJ k (X(l k ,a)), D'(l k , z k ,a, Y(l k , a)) 
D(l k ,z k ,a,f k (Y(l k ,a)). So we have 

\Pr(D'(l k ,z k ,a,X(l k ,a)) = l)- 

Pr(D'(l k ,z k7 a,Y(l k ,a)) - 1)| > l/poly(k) 



This contradicts the fact X = Y. 



□ 
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Lemma 21. Let H = (PG, 75, DI, if G, Hash,pHash, Cheat) 

def 

be a Hash Family, n = h + t. For each i e [2] 

and j e [n], Smj = f {Smj(l k )} keK = f 
{(5TOGen. i (l fc )(l>,5mGen i (l fc )(2)(j))} fceW , where 

SmGeni{l k ) is defined in Definition @] If V. meets the 
following three conditions 

1) All random variables SmGen,i(l k )(2)(j) are indepen- 
dent, where i <E [2],j e [n] — [h]. 



2) Sm'l +l =... = Sml, and Sm^ +L = ... = Sm%. 

3) 5toJ +1 = Sm% +1 . 

then % has property smoothness. 

Proof: Following Lemma [191 

{(^ +1 (l fe ),...,5m^(l fc ))} fcew 

±{(Srn% +l (l k ),...,Sm%(l k ))} k ^ 

holds. Let X d = f {(Sml(l k ), . . . , S*m I 1 l (l fc ))} feeK/ and 

Y d = f {(Sml(l k ),...,Sm%(l k ))} k£W . From the defini- 
tion of SmGeni(l k ), we notice that, for each j E [h] 
Sm\(l k ) = SW 2 (l fe ). So it holds that 

it = ¥ 

Since each Sm^(l ) is polynomial-time constructible, 
thus bothX and Y are polynomial-time constructible. Let 

F = (Tr)feGM/ where 7r € II. Following Proposition l20l we 
have P(X) = P(Y), i.e., 

{7r(Sml(l k ),...,Sm1(l k ))} keK 

^{n(Sml(l k ),...,Sm^l k ))} keK 

Notice that 5mGeni(l fe )(l) = SmGen 2 {l k )(l), we 
have 

{(5mGem(l fc )(l), n(SmGen 1 (l k )(2)))} keK 

= {(SmGen 2 {l k )(l),ir(SmGen 2 {l k )(2)))} keK 

That is 

Sm\ = 5*7712 



X? =' {X?(l fc ,a)} fcgK , ag{0 ,i}., X?(l fc ,a) =' 
(Xi(l , a), . . . , X po i yi ( k )(l , a),F po ; yi ( fe ) + i(l ,a), . . . , 
^ P oi a (fc)(l fe ,a)), eac/z A^(l fe ,a) = X(l fc ,a), eac/z 
yi(l fe ,a) - F(l fe ,a), prfyi(.) < poly(.), all X t (l k ,a) 
an d Y^ (l k ,a) are independent; 

• HXY) = f {$k(XY(l k ,a))} keK , ae{0Ar , 

XY(l k ,a) = XY(l k ,a), $ d = f ($ k ) keK , each 
$fc is a permutation over [poly(k)]. 

Proof: In case § k ([polyi(k)}) C \polyi(k)], it ob- 
viously holds. We proceed to prove it also holds in 
case <f>k(\polyi(k)]) £ [polyi(k)}. Assume it does not 
hold in this case, then there exists a non-uniform PPT 
distinguisher D with an infinite sequence z = (z k ) k ^K, a 
polynomial poly 2 (.), a infinite positive integer set GCM 
such that, for each k € G, 

\Pr{D(l k ,z k ,a,X^(l k ,a)) = 1) 

- Pr(D(l k ,z k , a, $ k (XY(l k , a)) = 1)| 



>l/ P oly 2 (k) (8) 



de/ 



V = {i\i € H»i(*)].*fc(*) e [poly(k)} - [pol yi (k)}}. We 
list the elements of V in order as i\ < ... < ij... < i#v- 

def 

Let Vj — {ii,...,ij}. We define the following permuta- 
tions over [poly{k)\. 



$l(i) 



For j e [#V], 



®° k '(i) = i i€[poly(k)] 

\i ieVu$ k (V) 



${,« 



* iG(V-^)U$ t (V-^), 

$ fc (i) i G [poly(k)] -(V- Vj) - * k (V-Vj). 

ftO'/ 



It is easy to see that XY{l k ,a) = $° k (XY (l k , a)) 
$l(XY(l k ,a)), and $ fe = $f V . Since xf(l k ,a) 



, which meets the requirement of the smoothness. □ XY{l k , a), then XY(l k , a) = $l(XY(l k , a)). So we have 
Loosely speaking, following Lemma |2lJ given a hash 



family %, if each x was sampled in an independent way 
and its projective key is useless to obtain the value of 

Hash(l k , A, x, .), then H is smooth. 

6.2 Hard Subset Membership 

In this section, we deal with how to obtain hard subset 
membership for a hash family 

de f rv/ife 



Proposition 22. Let X 



{X(l k ,a)} keKtae{0 s } * and 



Y = {y(l fc ,a)}feeK,ae{o,i}* be two polynomial-time con- 
structible probability ensembles, and X = Y. Then 

XY = <$>{XY) 

where XY and <b(XY) are two probability ensembles defined 
as follows. 



\Pr{D(l k ,z k ,a,XY(l k ,a)) = l)- 

Pr(D(l k ,z k ,a,<i> k (XY(l k ,a))) = 1)| 
= \Pr(D(l k ,z k ,a,$° k (XY(l k ,a))) = 1)- 

Pr(D(l k ,z k ,a,^* V (XY(l k ,a))) = 1)| (9) 
Following triangle inequality, we have 

\Pr(D(l k ,z k7 a^° k (XY(l k ,a))) = 1)- 



\*V, 



D\< 



Pr{D{l k lZk ,a^t V {XY{l k ,a))) 
J2 \Pr(D(l k ,z k , a, & k -\XY(l k ,a))) = 1)- 

3=1 

Frp(l fc ,z fc ,a,^(XF(l fc , a ))) = 1)| (10) 



Combining equation © © fLOl l, we have or 

*^ , . , r==t \Pr(D(l k ,z k ,a,MXY(l k ,a)) = 1)- 

i=i Pr(£>(l fc ,* fe ,a,^(XY(l fe ,a))) = 1)| 

Pr(D(l*,%,a,*j[(.Xr(l fc ,a))) = 1)| > l/poly 2 (k) ^ 1/{2#V • poly 2 (k)) (14) 

So there exists j e [#V] such that holds. Without loss of generality, we assume equation 

dl3l l holds (in case equation ((141 holds, the proof can be 

r=zi done in similar way). We can construct a distinguisher D' 

\Pr(D(l ,Zk,a, $ fe (-X"Y(1 , o))) = l)— with an infinite sequence z = (zfe)fe e fj for the probability 

l fc ». ^ rhJVwYlk 



Pr( J D(l fc ,z fe ,a,$i(Xy(l fc ,a))) = l)| 



ensembles X and Y as follows. 

^'(l fc ,z fc , a , 7 ): ^(^r'W) <" ^(l fe ,a) Vz G 

>i/(#^po(iftWj ui; Hl/i(*)]/ ^(** _1 (*)) <" ^(l fe ,a) Vi £ H»(*)] - 

boZyi(/c)] - {$fc(ij)}/ x$($k(ij)) <- 1, finally outputs 



According to the definition of ${. , $]., the £)(i fc z , a £Z) 

differences between them are the values of points .-,, . , - c . ■, , c v/1 t N ., — > 

. ., , . , „. ., , , , ,.,, , r Obviously, if 7 is sampled from r(l ,a), then era 



IS 



j,&k{ij)- Similarly, the only differences between 

fti-^a)) and <H(^Y(l fe ,a)) are the i r th "" TT"! oi ^ XY ^^' * 2JLJ™P l fJ* om 
k v v ' " k _ ^ J X{l k ,a), then x$ is an instance of MXY(l k ,a). So we 

and $ fc (i,)-th entries, i.e., $£ 1 (XY(l k ,a)){i j ) = have 

X(l fe ,a), ^(fr^a))^*,-)) = Y(l fe ,a), 



$£(XY(l fe ,a))(^) = F(l fe ,a), ^ k (XY(l k ,a))(t> k (t J )) = |Pr(C'(l fc , z fc , a,X(l fc , a)) = 1)- 

*(l fc ,a)- ^ ^ Pr(^'(l fc ,z fe , a ,r(l fe ,a)) = l)H 

Let_MXY ^ {MXY(l fc ,a)} fceK , ae{0 , 1} „ where |Prp(l fc ,z fc; a,MA^(l fe ,a)) = 1)- 

MXY{l k , a) is defined as follows. For each d € [poZy(fc)], ^^ 

Pr( J D(l fc ,z fc ,a,$f 1 (Xr(l fe , a ))) = l)| (15) 

MXF(l*,a)<d) = Rl ( ^ (lfc ' a))(d) j * *fj Combining © ©, we have 

\X(l k ,a) d=$ k (tj) & 



The difference between MXF(l fc ,a) and |Pr(D (1 ,%,a, Jf(l ,a)) - 1) 

^(fr^.o)) is that MXY(l fc ,a)(<I> fc fe)) = X(l fc ,a), ^(D'(l fc ,^,a, Y(l fc ,a)) = 1)| > 1/{2#V ■ poly,{k)) 



- k 

QJ-^XYjl^a))^)) = Y(l k ^. The difference Thig contradicts the fact x c y Therefore/ the propo . 

between MA"Y(l fc ,a) and $£(XF(l fc ,a)) is that sition also holds in case ^ k ([polyi(k)}) <£ [polyi(k)} too. 
MXY{l k ,a){i ) = X(l k ,a), ^(XF(l fc ,a))(ij) = D 

y (l fe , a). Following triangle inequality, we have Lemma 23. Let H = (PG, 75, D7, KG, Hash, pHash, Cheat) 

def 

__^ be a hash family. Let n = h + t. For each i e [n], 

|Pr(U(l fc ,z fc , a ,$r 1 (^ ; (l fe ,a))) = l)- PSAP =' {PSAP(l*)} feeI ,, PSAP(l fe ) = ; 

P.(U(l fe ,z fc , a ,MXF(l fc , a )) = l)|+ (P5Af 1 (l^)(l),Pr5M 1 (l* i) ( l + 1)), ^r, FfiTMip 

s. is defined in Definition |4j If H meets the following three 

\Pr(D(l k ,z k ,a,MXY(l k ,a)) = l)- conditions, 

Pr(D(l k ,z k , a, $i(iy(l fe ,a))) = 1)| 1) All variables PS , Mi(l fc )(i + 1) are independent, where 

> |Pr(£>(l fc , z fc , a, $£ (iy(l k , a))) = 1)- 2 ) P5Af J = . . . = P5Af", P5A/" +1 = . . . = J? 5M". 

Pr( J D(l fc , « fc , a, mXY(l k , a))) - 1)| (12) 3) HSMl = HSMh+1 - 

then % has property hard subset membership. 
Combining ((Til l 1(121 , we know that 

Proof: Let tt G II, X M HSM 1 , Y = HSM h+1 , 

ip rnnk xj-ifSrvnk \\\ u $ = Mk&n, polyi(.) = h, poly(.) = n. Following 

\Pr(D(l , z k , a, & k (XY(l , a))) = 1)- Proposition E2 we know 

Pr(D(l k ,z k ,a,MXY(l k ,a)) = l)\ 

>l/(2#y -polyiik)) (13) XF^$(^?) 
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That is 

((HSM 1 (l k )(l),HSM 1 (l k )(2)),... 

(#SMi(l fe )(l),#SAfi(l fc )(n + l))) = 
(HSM 2 (l k )(l),HSM 2 (l k )(2)),... 

(HSM 2 (l k )(l),HSM 2 (l k )(n+l))) 

where HSM 1 (l k ), HSM 2 (l k ) are taken from Definition 
U Note that HSM t (l k )(l) = HSM 2 (l k )(l), so 

(HS Mi (l fe ) (1), HSMi{l k ) (2), . . . , F5'Mi(l fc )(n+l}) = 
( J ff5M 2 (l fe )(l>, ffSM 2 (l fc ) (2), . . . , ffSAf 2 (l fe )(n + 1)) 



i.e., 



HSM X = iJS'Afa 



, which meets the requirement of the property hard 
subset membership. D 

Loosely speaking, Lemma [23] shows that, 
given a hash family H, if random variables 
IS(l k ,A)(l),...,IS(l k ,A)(n) are independent, 

IS(l k ,A){l),...,IS(l k ,A){h) sample x from L Aa 
in the same way , IS(l k ,A)(h + 1), . . . ,IS(l k , A)(n) 
sample cc from Ljj in the same way, L^ and £^ 
are computationally indistinguishable, then H has hard 
subset membership. 

6.3 Reducing To Constructing Considerably Simpler 
Hash 

In this section, we reduce constructing SPHDHCt : h to 
constructing considerably simpler hash. 

Definition 24 (smooth projective hash family that holds 
properties distinguishability and hard subset member- 
ship). H = (PG, IS, DI , KG, Hash,pHash) is a smooth 
projective hash family that holds properties distinguishability 
and hard subset membership (SPHDH), if and only if % is 
specified as follows 

• The algorithms PG, DI, KG, Hash, and pHash are 
specified as same as in SPHDHC t ,h's definition, i.e., 
Definition [4] 

• The instance-sampler IS is a PPT algorithm that takes a 
security parameter k, a family parameter A, a work mode 
5 £ {0,1} as input and outputs a instance along with 
its witness (x,w), i.e., (x,w) <— IS(l k ,A,S). 
Correspondingly, we define relations R A ,R A ,R A as 

follows. R A d = U km Rang(IS(l k ,A,0)) r R A d = 
U k&K Rang(IS(l k ,A, 1)), R A d = j R A U R A . 
and H has the following properties 

1) The properties projection and distinguishability are spec- 
ified as same as in SPHDHCt.h's definition, i.e., Def- 
inition m 

2) Smoothness. Intuitively speaking, it requires that for 
any instance x e L^ , the hash value of x is un- 
obtainable unless its hash key is known. That is, the 



and Sm 2 = {Sm 2 (l k )}keK defined as follows, are 
computationally indistinguishable, i.e., Sm\ = Sm 2 . 
S mi (l k ): A <- PG{l k ), (x,w) <- I5(l fc ,A,l), 
(hk,pk) <- KG{\ k ,A,x), y 4- Hash{l k ,A,x,hk). 
Finally outputs (A,x,pk,y). 

Sm 2 (l k ): compared with Smi(l k ), the only difference 
is that y Gy Range(Hash(l k , A,x, .)). 
3) Hard Subset Membership. Intuitively speaking, it re- 
quires that the instances of L^ and that of Lj^ 
are computationally indistinguishable. That is, the two 

probability ensembles Hm\ = {Hrni(l k )}k^n and 
Hm 2 = {Hm 2 (l k )}k£N defined as follows, are com- 
putationally indistinguishable, i.e., Hrti\ = Hm 2 . 
Hmi(l k ): A<r- PG(l k ), (x,w) *- IS(l k , A, 0), finally 
outputs (A,x). 

Hm 2 (l k ): A <- PG(l k ), (x,w) <- IS(l k ,A, I), finally 
outputs (A,x). 

It is easy to see that the projection and smoothness are 
two contradictory properties. That is, for any instance x, 
it holds at most one of the two. Therefore, R A n R A = 0. 

Theorem 25 (reduce constructing SPHDHC t ,h to con- 
structing SPHDH). Given a_SPHDH U, then we can effi- 
ciently gain a SPHDHC t , h U. 

Proof: Let U = (PG,IS,DI,KG,Hash,pHash). 
First, we construct a new hash system T-L = 
(PG, IS, DI, ~KG, Hash, pHash, Chmt) as follows. 

• The procedures PG, DI, KG, Hash, pHash directly 
take the corresponding procedures from T~L. 

. 75(l fc ,A): For each i e [h], a(i) +- IS(l k ,A,0); for 
each i € [n] — [h], a(i) <— IS(l k , A, 1); finally outputs 



two probability ensembles Sm\ 



d,:j 



{S mi (l k )} 



. Cheat(l k , A): For each i e [a], 3{i) <- IS(l k ,A,0); 
finally outputs a. 

Second, we prove H is a SPHDHCt.h- From the 
construction, we know that it remains to prove that H 
holds properties smoothness, hard subset membership 
and feasible cheating. However, this fact directly follows 
Lemma |2lJ Lemma |23] and Lemma ??. Therefore, H is a 
SPHDHC t , h . □ 

Sometimes it is not easy to gain smoothness for a hash 
family. In this case we have to construct a hash family, 
defined as follows, as the first step to our goal. 

Definition 26 (e-universal projective hash family that 
holds properties distinguishability and hard subset 
membership). H = {PG,IS,DI,KG,Hash,pHash) is 
a e-universal projective hash family that holds properties 
distinguishability and hard subset membership (e-UPHDH), 
if and only if % is specified as follows. 

• All algorithms are specified as same as in SPHDH's 
definition, i.e., Definition l24l 

and % has the following properties 

1) The properties projection, distinguishability and hard 
subset membership are specified as same as in Definition 



fee in 
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2) (-universality. Intuitively speaking, it requires the 
probability of guessing the hash value of x is at 
most e. That is, for any sufficiently large k, any 
A e Range{PG(l k )), any x e Range(IS(l k , A, 1)), 
any pk e Range(KG(l k ,A,x)(2)), any y e 
Range(Hash(l k , A, x, .)), if /zoZds f/wf 

Pr(Hash(l k ,A, x, HK) = y\PK = pk) < e 

where (HK,PK) <- i^G(l fc , A, x), the probability is 
taken over the randomness of KG. 

Compared with SPHDH, e-UPHDH relaxes the upper 
bound of the probability of guessing the hash value of 
x to a higher value. Assume e < 1, as [15], [32], we can 
efficiently gain a SPHDH from a e-UPHDH. 

Theorem 27. Given a e-UPHDH H, where e < 1, then we 
can efficiently gain a SPHDH W. 

The way to prove this theorem is to construct a 
required algorithm, which can be gained by a simply 
application of the Leftover Hash Lemma (please see 11391 
for this lemma). The detailed construction essentially is 
the same as [15]. Considering the space, we don't iterate 
it here. 

Combining Theorem [25] and Theorem [27] we have the 
following corollary. 

Corollary 28 (reduce constructing SPHDHC t ji to con- 
structing e-UPHDH). Given a e-UPHDH U, then we can 
efficiently gain a SPHDHC t<h U. 

7 Constructing SPHDHC tyh 

In this section, we construct SPHDHCt,h respectively 
under the lattice assumption, the decisional Diffie- 
Hellman assumption, the decisional A^-th residuosity 
assumption and the decisional quadratic residuosity as- 
sumption. Theorem [25] and Corollary [28] show that, to 
construct a SPHDHCt : h, what we need to do is to 
construct a SPHDH or construct a e-UPHDH (e < 1). 

7.1 A Construction Under The Decisional Diffie- 
Hellman Assumption 

7.1.1 Background 

Let Gen(l k ) be an algorithm such that randomly chooses 
a cyclic group and outputs the group's description G =< 
g, q, * >, where g, q, * respectively is the generator, the 
order, the operation of the group. 

The DDH problem is how to construct an algorithm 

def 

to distinguish the two probability ensembles DDH\ = 

{DDHt{l k )} kem and DDH 2 = f {DDH 2 {l k )} keK which 
are formulate as follows. 

. DDH^): <g,q,* ><- Gen(l k ), a e v Z q , b e v Z q , 

c <— ab, finally outputs (< g, q, * >,g a ,g b , g c ). 
• DDH 2 (l k ): Basically operates in the same way as 

DDHi(l k ) except that c eu Z q . 
At present, there is no efficient algorithm solving the 
problem. Therefore, it is assumed that DDH\ = DDH 2 . 



7.1.2 Detailed Construction 

We now present our DDH-based instantiation of SPHDH 
as follows. For simplicity, we assume the groups gener- 
ated by Gen(l k ) is of prime order. 

. PG{l k ): A <- Gen(l k ), finally outputs A. 

. IS(l k ,A,S): (g,q,*) -s- A, a e v Z q , b e v Z q , x <- 

(g a ,g b ,g ab ), w <- (a, b), c e v Z q , x <- (g a ,g b ,g c ), 

w <— (a, b), finally outputs (x, w) if S = 0, (x, w) if 

6 = 1. 
. DI(l k , A, x, w): (g,q,*) «- A, (a,/3,j) <- x, (a,b) 4- 

w, if (a,0,j) = (g a ,g b ,g ab ) holds, then outputs 0; if 

(a, P) = (g a ,g b ) and 7 7^ g ab holds, then outputs 1. 
. KG{l k ,A,x): (g,q,*) <- A, (a, ^,7) <- x, u e v Z q , 

v Eu Z q , pk 4- a u g v , hk <- 7 U /3 U , finally outputs 

(hk,pk). 

• Hash(l k , A, x, hk): y ^— hk, outputs y. 

• pHash(l k ,A,x,pk,w): (a,b) •(— w, y ^— pk b , finally 
outputs y. 

Lemma 29. The hash system holds the property projection. 

Proof: Let (x,w) e Range{IS(l k , A,0)). Let 
(hk,pk) £ Range(KG(l k ,A,x)). Then, 

Hash(l k , A, x, hk) = Hash(l k , A, (g a ,g b , g ab ), (g abu g bv )) 

= g abu g bv 

pHash{l k , A, x, hk, w) = P Hash{l k , A, (g a , g b , g ab ), 

( 3 a V), (a,b)) 



g abu g bv 



That is, 



Hash(l k ,A,x,hk) = pHash(l k ,A,x,pk,w) 



D 



Lemma 30. Assuming DDH is a hard problem, the hash 
system holds the property smoothness. 

Proof. For this system, the probability ensembles 
Smi, Srri2 mentioned in the definition of SPHDH can 
be described as follows. 

. Smi(l fe ): A <- PG(l k ), (g,q,*) <- A, a e v Z q , b £u 

Z q , c <Eu Z q , x 4- (g a ,g b ,g c ), u € v Z q , v eu Z q , 

pk <- g au + v r hk <- g cu + bv r y <_ hk. Finally outputs 

(A,x,pk,y). 
• Srri2(X k )'- Operates as same as Smi(l k ) with an 

exception that y is generated as follows, d Ejj Z q , 

V <- 3 d - 
Because b,c,u,v are chosen uniformly and q is prime, 
both cu and bv are uniformly distributed over Z q . Thus 
cu + bv is uniformly distributed over Z q too. Therefore, 
5m 1 = 5m2. D 

Lemma 31. The hash system holds the property distingidsha- 
bility. 

The proof of this lemma is trivial, so we omit it. 

Lemma 32. Assuming DDH is a hard problem, the hash 
system holds the property hard subset membership. 
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Proof: For this system, the probability ensembles 
Hmi, Hni2 mentioned in the definition of SPHDH can 
be described as follows. 

. Hmi(l k ): A <- PG{l k ), (g,q,*) <- A, a e v Z q , b e v 
Z q , x <- (g a ,g b ,g ab ). Finally outputs (A,±). 

. Hm 2 (l k ): A <- PG{l k ), (g,q,*) <- A, a €u Z q , b e v 
Z q , c eu Z q , x <- (g a ,g b ,g c )- Finally outputs (A, x). 

Obviously, Hm,\ — Hm 2 . D 

Combining all lemmas above, we have the following 
theorem. 

Theorem 33. Assuming DDH is a hard problem, the hash 
system is a SPHDH. 

7.1.3 A Concrete Protocol For OT% Based On DDH 

It's known that the encryption scheme presented by 
IH71 can be used as a perfectly binding commitment 
scheme. The encryption scheme is directly based on the 
problem of discrete log. Since the task of solving the 
problem DDH can be reduced to that of solving the 
problem discrete log, the encryption scheme is based on 
DDH essentially. The DDH-based commitment scheme 
presented by Il47l is a perfectly hiding one. Therefore, 
using those two commitment schemes and our DDH- 
based SPHDHCt.h, we gain a concrete protocol for OT£ 
based only on DDH. To reach the best efficiency, we 
should use the DDH of the group which is on elliptic 
curves. See Section l4~5l for further discussion. 



7.2 A Construction Under Lattice 

7.2. 1 Background 

Learning with errors (LWE) is an average-case problem. 
Il50l shows that its hardness is implied by the worst- 
case hardness of standard lattice problem for quantum 
algorithms. 

In lattice, the modulo operation is defined as x 
mod y = x — Lx/y_iy. Then we know x mod 1 = 
x — lu. Let f3 be an arbitrary positive real number. Let 
fyp be a probability density function whose distribution 
is over [0,1) and obtained by sampling from a normal 
variable with mean and standard deviation (3/\/2tt and 
reducing the result modulo 1, more specifically 

^p : [0, 1) -> R + 



fc=-oo " " 



Given an arbitrary integer q > 2, an arbitrary proba- 
bility destiny function (f> : [0, 1) — > R + , the discretization 
of 



over Z q is defined as 



■z„ 



m 



def 



(i+l/2)/g 



4>{x)dx 



'(»-l/2)/g 
LWE can be formulated as follows. 



Definition 34 (Learning With Errors). Learning with errors 
problem (LWE qyX ) is how to construct an efficient algorithm 
that receiving q,g,m,x, (Si,bi) ie [ m ], outputs swith nonneg- 
ligible probability. The input and the output is specified in the 
following way. 

q <- q(l k ), g 4- g(l k ), m 4- poly(l k ), X «- x(l fc ), s E v 
(Z q ) k . For each i e [m], Si e v (Z q ) k , e t e x Z q , b t «- 
s T ■ Si + e, mod q. 

where q,g are positive integers, \ '■ Z q — > R + is a 
probability density function. 

With respect to the hardness of LWE, (50) proves 
that setting appropriate parameters, we can reduce two 
worst-case standard lattice problems to LWE, which 
means LWE is a very hard problem. 



Lemma 35 ( [50]). Setting security parameter k to be a value 
such that q is a prime, f3 <— /3(l fe ), j3 e (0, 1), and j3 ■ q > 
2Vk. Then the lattice problems SIVP and GapSVP can 
be reduced to LWE ^ . More specifically, if there exists an 
efficient (possibly quantum) algorithm that solves LWE q q, , 
then there exists an efficient quantum algorithm solving the 
following worst-case lattice problems in the l 2 norm. 

• SIVP: In any lattice A of dimension k, find a set of k 
linearly independent lattice vectors of length within at 
most 0(k/f3) of optimal. 

• GapSVP: In any lattice A of dimension m, approximate 
the length of a shortest nonzero lattice vector to within 
a d(k//3) factor. 

We emphasize the fact that the reduction of Lemma [35] 
is quantum, which implies that any algorithm breaking 
any cryptographic schemes which only based on LWE 
is an algorithm solving at least one of the problems SIVP 
and GapSVP. 

How to precisely set the parameters as values to gain a 
concrete LWE, which is as hard as required in Lemma l35l 
is beyond the scope of this paper. To see such examples 
and more details, we recommend |50[ and [48]. 

The instantiation of SPHDH, which we will present 
soon, needs to use a LW^-E-based public key cryptosys- 
tem presented by [22], which is a slight variant of [50|'s 
cryptosystem. This cryptosystem is described as follow. 

• Message space: {0,1}. 

. Setup(l k ): q <- q(l k ) A q G P A q G [k 2 ,2k 2 ], m <- 
(1 + e)(k + l)log<7 ( where e > is an arbitrary 



constant), % 

a(k) - ' 

para 



*, 



(k) 



Aa(k) = o(l/(Vklogk)) (e.£ 



V^fc(logfc) 2 



). para <f— (q, m, x), finally outputs 



. K ey Gen (l fc , para): A €u (Z q ) mxk , s G V (Z q ) k , 
e G x (Z q ) m (which means each entry of e is indepen- 
dently drawn from Z q according to x)i b <— As + e 
mod q, pubk <— (^4, b), sk <— s, finally outputs a 
public-private key pair (pubk, sk). 

• Enc(.), Dec(.): Since Enc(.), Dec(.) are immaterial 
to understand this paper, we omit their detailed 
procedure here. 
(22ll shows that if LWE ^ a is hard, choosing appro- 
priate parameters, this cryptosystem holds the following 
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properties. 

1) It provides security against chosen plaintext attack, 
though we only need semantic security here. 

2) For each A £ (Z q ) mxk , we have 

Pr(b is messy|6 £ v (Z q ) m ) > 1 - 2/q k , 

where b is said to be messy if and only if, Vrno, toi £ 
{0, 1}, the statistical distance between the distri- 
bution of Enc A j(mo) and that of Enc.Amx) is 

negligible. In other word, b is said to be messy 
if and only if, Enc A g(.) loses messages and so its 
ciphertext can't be decrypted using any private key 
s£{Z q ) k . 

3) Given A £ (Z q ) mxk and its trapdoor T, 
then there exists an efficient decision algorithm 
IsMessy holds the following two property First, 
Pr{IsMessy(A,T,b) = Q\b £u (Z q ) m ) is negligible. 
Second, b is indeed messy if IsMessy(A, T, b) = 1. 

7.2.2 Detailed Construction 

We now present our LWE-based instantiation of SPHDH 

as follows. 

. PG{l k ): A <- Setup(l k ), finally outputs A. 

. IS(l k ,A,b): (q,m, X ) <- A, A £ V {Z q ) mxk along 
with its trapdoor T, s £ V (Z q ) k , e £ x (Z q ) m , 
x <— (A, As + e mod q), w <— (0, s), uniformly 
chooses b £ {Z q ) m such that IsMessy(A,T,b) = 1 
(recall that only negligible fraction of b are not 
messy, therefore such b can be efficiently chosen) , 
x <— (A, b), w 4— (1, T), finally outputs (x, w) if b = 0, 
(x,w) if b = 1. 

. DI(l k , A, a;, w): (<?, m, x) <- A, (A, 6) 4- x, (i, g) <- w, 
if i = 1 and IsMessy(A, g, b) — 1 holds, then outputs 
1; otherwise outputs 0. 

. XG(l fc , A, ar): (q, m, x) <- A, (A, 6) <- x, a Gy {0, 1}, 
a <— Enc A Ad), hk <— a, pk <— a, finally outputs 
(hk,pk). 

• Hash(l k ,A,x,hk): (q,m,x) 4— A, a i— hk, finally 
outputs a. 

• pHash(l k ,A,x,pk,w): (m,q,x) 4- A, a 4- pk, 
(i, g) <— w, a <— Dec e (a), finally outputs a. 

In the above construction of SPHDH, each instance 
holds a matrix A, which seems expensive. However, 
in the corresponding construction of SPHDHCt.h, this 
overhead can be reduced by each instance vector sharing 
a matrix A. We point out that it's not secure that all 
instance vectors share a matrix A. The reason is that in 
this case, seeing matrix A's trapdoor T in Step S2 of 
the framework, Pi can distinguish smooth instances and 
projective instances of the unchosen instance vectors, 
which leads to Pi deducing Pa's private input. 

Lemma 36. Assuming LWE is a hard problem, the hash 
system holds the property projection. 

Proof: Let x = (A,b) £ Range(IS(l k ,A,0)), w = 
(0, s). Obviously, ((A, b), s) is a correct public-private key 



pair. Then, we have 

Hash(l k , A, x, hk) = a, 

pHash(l ,A,x,pk,ib)~Decg(a) 

= Decg(Enc A j(a)) 
= a, 

This means that for any (x, w, A) generated by the hash 
system, it holds that 

Hash(l k ,A, x, hk) = pHash(\ k , A, x,pk, us). 

a 

Lemma 37. The hash system holds the property smoothness. 

Proof: For this system, the probability ensembles 
Smi, Sm 2 mentioned in the definition of SPHDH can 
be described as follows. 

. 5mi(l fe ): A «- PG(l k ), (q, m, X ) <- A, A £ v {Z q ) mxk 
along with its trapdoor T, uniformly chooses b £ 
(Z q ) m such that IsMessy(A,T,b) = 1, x <- (A,b), 
w <— (1,T), a £jj {0,1}, a 4— Enc A ^(a), pk 4— a, 
y 4— a, finally outputs (A, x,pk, y). 

• Srri2(l k ): Operates as same as Srni(l k ) with an 
exception that y £u {0, 1}. 

Obviously, Smi(l k ) = Sm 2 (l k ). D 

Lemma 38. Assuming LWE is a hard problem, the hash 
system holds the property distinguishability. 

Proof: Recalling the property of IsMessy, we know if 
(A, b) isn't messy, IsMessy (A, T, b) = 0; if (A, b) is messy, 
IsMessy(A, T, b) = 1 with a probability close to 1. Thus, 
if (x,w) £ Ra, DI outputs 1; if (x,w) £ Ra, DI outputs 
0. DI correctly computes C- □ 

Lemma 39. Assuming LWE is a hard problem, the hash 
system holds the property hard subset membership. 

Proof: For this system, the probability ensembles 
Hmi, Hrri2 mentioned in the definition of SPHDH can 
be described as follows. 

. Hm 1 (l k ): A 4- PG(l k ), (q,m,x) <- A, A £ v 
(Z q ) mxk along with its trapdoor T, s £ v (Z q ) k , 
e £ x (Z q ) m , x <— (A,As + e mod q), finally outputs 
(A,±). 

. Hm 2 {l k ): A 4- PG{l k ), (q,m,x) <- A, A £ v 
(Z q ) mxk along with its trapdoor T, uniformly 
chooses b £ (Z q ) m such that IsMessy(A,T,b) = 1, 
x <— (A,b), finally outputs (A, x). 

Obviously, Hmi — Hm 2 . D 

Combining Lemma l35l and above lemmas, we have the 
following theorem. 

Theorem 40. If SIVP or GapSVP is a hard problem, the 
hash system is a SPHDH. 
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7.2.3 A Concrete Protocol For 0T% With Security 
Against Quantum Algorithms 

The security proof of the framework guarantees that, 
any adversary breaking the framework is an algorithm 
breaking at least one of cryptographic tools used in 
the framework. Moreover, it's generally believed that 
lattice-based cryptography resists quantum attacks [41 J. 
Therefore, to gain an instantiation of our framework with 
security against quantum algorithms, it suffices to adopt 
lattice-based instantiations of the cryptographic tools. 
Thus, it remains to find a IHC and a IBC with such 
security level. Though there exists general methods to 
construct perfectly binding commitments and perfectly 
hiding commitments from one-way functions (or one- 
way permutations) (see [23] Chapter 4), the resulting 
lattice-based commitments seem too expensive. Thus, 
other approach is needed. 

First, based on the result of [22], we can get a relatively 
efficient statically binding commitment. 

Lemma 41 ( |22|). There exists an efficient algorithm for 
the lattice-based cryptosystem mentioned early such that, for 
all but at most negligible fraction of public key generated by 
KeyGen, given a trapdoor for the matrix A, and a public key 
(A, A T s + e), it can efficiently extract the unique secret key 
s. 

The lattice-based cryptosystem can be used as a stat- 
ically binding commitment in the following way In 
commit phase, Pi sends a public key (A, b) along with 
E A Am) to Pi- The computationally hiding directly fol- 
lows the security level of the cryptosystem. In reveal 
phase, P\ sends the trapdoor of A, the value m, and 
the randomness used in commit phase to P2. Following 
Lemma HU almost all legitimate public keys, respectively, 
correspond to a unique private key. This guarantees that 
an encryption relative to legitimate public keys have a 
unique decryption. Therefore, it holds statically binding. 

Second, combining the works of [2J, [25|, [29], [40|, 
we can get a relatively efficient statically hiding com- 
mitment. [29] presents a efficient way to construct stati- 
cally hiding commitments from any collision-free hash. 
Assuming one of the lattice problems SIVP and SVP is 
hard, [25] shows that [2J's lattice-based hash of suitably 
chosen parameters is collision-free. Under the assump- 
tion that GapSVP%, , is hard in the worst case, [40[ later 

0(n) 

also shows that the lattice-based hash is collision- free. 
Therefore, applying [29['s method to [2J's hash, we get 
a lattice-based statically hiding commitment. 

Now we can gain a concrete protocol for OT£ with 
security against quantum algorithms, this is summarized 
by the following theorem. 

Theorem 42. Assuming that one of the lattice problems 
SIVP and GapSVP is hard for quantum algorithms, 
instantiating the OT£ framework with the lattice-based 
SPHDHCt^hf and the lattice-based commitment schemes (no 
matter the ones that are got by applying the general method 
or the ones we suggests above), the resulting concrete protocol 



for OT£ is secure against quantum algorithms. 

7.3 A Construction Under The Decisional N-th 
Residuosity Assumption 

7.3. 1 Verifiable-e-universal Projective Hash Family 
In this section, we will build a instantiation of e- 
UPHDH (e < 1) from a instantiation of a hash system 
called verifiable-e-universal projective hash family by 
[ 32 1 . Therefore, it is necessary to introduce the definition 
of this hash system. 

Definition 43 (verifiable-e-universal projective hash fam- 
ily, [32|). H = (PG,IS,IT,KG,Hash,pHash) is a e- 
universal projective hash family (e-VUPH), if and only if TL 
is specified as follows. 

• The algorithms PG, IS, KG, Hash, pHash are speci- 
fied as same as in e-UPHDH's definition, i.e., Definition 

m 

• IS is a PPT algorithm that takes a security parameter k, 
a family parameter A as input and outputs a tuple, i.e., 
(w,x,x) ^IS(l k ,A). 

• IT is a PPT algorithm that takes a security parameter k, 
a family parameter A, two instances as input and outputs 
a bit , i.e., b <- IT(l k , A,xi,x 2 ). 

and H has the following properties 

1) The properties projection, e-universality are specified as 
same as that in e-UPHDH's definition, i.e., Definition 

M 

2) Verifiability. First, for any sufficiently large k, any A e 
Range{PG{l k )), any (w,x,x) € Range(IS(l k ,A)), 
it holds that IT(l k ,A,x,x) = IT(\ k ,A,x,x) = 1. 
Second, for any sufficiently large k, any (A, Xi, X2) such 
that IT(l k , A, xi,X2) = 1, at least one of xi,x 2 is e- 
universal. 

It is easy to see that verifiability guarantees any in- 
stance x holds at most one of the properties projec- 
tion and universality. Therefore, we have the following 
lemma. 

Lemma 44. Let H = (PG, IS, IT, KG, Hash,pHash) be a 
e-universal projective hash family, then 



inL = 



def 



where L = {x|A <- PG(l k ),(w,x,x) <- IS{l k ,A)} and 



def 



{x|A <- PG(l k ), {w, x, x) <- IS(l k , A)}. 



7.3.2 Background 

Let Gen(l k ) be an algorithm that operates as follows. 

. Gen(l k ): (p,q) e V {(p,q)\(p,q) € (V,F),p,q > 

2, \p\ - |g| = k, gcd{pq, (p - l)(q - 1)) = 1}, N <- pq, 

finally outputs N. 

The problem decisional N-th residuosity (DNR), first 

presented by [46], is how to construct an algorithm 

def 

to distinguish two probability ensembles DNR\ = 

{DNRr(l k )} km and DNR 2 d = f {DNR 2 (l k )} keW which 
are formulate as follows. 
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. DNR l {l k ): N 4- Gen{l k ), a e v Z* N2 , b 4- a N 

mod iV 2 , finally outputs (AT, b). 
. DNR 2 (l k ): N 4- Gen(l fc ), & £[, Z^ 2 , finally outputs 

(iV,6). 
The DNR assumption is that there is no efficient 
algorithm solving the problem. In other words, it is 
assumed that DNR X = DNR 2 . 

Our instantiation of e-UPHDH is build from a DNR- 
based instantiation of e-VUPH (e < 1) presented by |32|. 
The instantiation of e-VUPH is stated as follows. 

. PG{l k ): N 4- Gen(l k ), a e v Z* N2 , T 4- JV^iogiV^ 

g 4- a N ' T mod N 2 , A 4- (N, g), finally outputs A. 
. IS{l k ,A): (N,g) 4- A, r,v &u Z* N , w 4- r, x 4- g r 

mod iV 2 , a; 4- x(l + vN) mod A^ 2 , finally outputs 

(w, x,x). 
. IT(l k ,A,x,x): (N,g) 4- A. Checks that AT > 2 2fe , 

3,i£ Z^j. d 4- £/£ mod A^ 2 and checks N\(d — 1). 

v <- (d— l)/N and checks gcd(w, N) = 1. Outputs 1 

if all the test pass and otherwise. 
. ATG(l fc ,A): (N,g) 4- A, hk e v Z N 2, pk 4- g hk 

mod A^ 2 , finally outputs (hk,pk). 
. Hash{l k ,A,x,hk): (N,g) 4- A, y 4- x' lfc mod N 2 , 

finally outputs y. 
. pHash(l k ,A,x,pk,w): (N,g) 4- A, y 4- pfc 10 

mod A^ 2 , finally outputs y. 

7.3.3 Detailed Construction 

We now present our DNR-based instantiation of e- 

UPHDH (e < 1) as follows. 

. PG(l k ): N 4- Gen(l k ), a E v Z* N2 , T 4- N r2lo ^ N \ 
g 4- a N ' T mod N 2 , A 4- (AT, g), finally outputs A. 

. IS(l k , A, (5): (N,g) 4- A, r £ v Z* N , x 4- g r mod N 2 , 
w 4- (r,0), u €/7 Z^, x 4- 5 r (l + vA^) mod N 2 , 
w 4— (r,v), finally outputs (x,w) if 6 = 0, (£, u)) if 
5 = 1. 

. L>/(l fe , A, x, w): (TV, g) 4- A, (r, u) 4- to, 

1) if u = mod AT, operates as follows: checks 
that N > 2 2k , g,x G Z^ 2 , r G Z^, x = g r 
mod A^ 2 . Outputs if all the test pass. 

2) if v 7^ mod AT, operates as follows: checks 
that AT > 2 2fe , j,ie Z* N2 , r e Z* N ,x = g r (l+vn) 
mod A^ 2 . Outputs 1 if all the test pass. 

. ATG(l fc ,A,x): (N, g) 4- A, hk eu Z N 2, pk 4- g hk 

mod A^ 2 , finally outputs (hk,pk). 
. Hash(l k ,A,x,hk): (N,g) 4- A, y 4- x hk mod N 2 , 

finally outputs y. 
• pHash(l k ,A,x,pk,w): (N,g) 4- A, y 4- pk w 

mod A^ 2 , finally outputs y. 

Theorem 45. Assuming DNR is a hard problem, the hash 
system is a e-UPHDH (e < 1). 

Proof: It is easy to see that the hash system directly 
inherits properties e-universality and projection from the 
instantiation of e-VUPH. Following Lemma l44l the hash 
system holds property distinguishability It remains to 
prove that the hash system holds the property hard 
subset membership. 



For this system, the probability ensembles Hm,\, Hiri2 
mentioned in the definition of e-UPHDH can be de- 
scribed as follows. 

. H mi (l k ): A 4- PG(l fc ), (N,g) 4~ A, r e v Z* N , x 4- 

g r mod A^ 2 . Finally outputs (A, x). 
. Hm 2 {l k ): A 4- PG(l k ), (N,g) 4- A, r,v £ v Z* N , 

x 4- g r (l + vN) mod A^ 2 . Finally outputs (A, x). 

It is clear that Hm\ — Hm 2 . Therefore, the hash system 
holds the property hard subset membership. □ 



7.4 A Construction Under The Decisional Quadratic 
Residuosity Assumption 



We reuse Gen(l fc ) defined in section 17.3.21 Let Jm be 
the subgroup of Z* N of elements with Jacobi symbol 1. 
The problem decisional quadratic residuosity (DQR) is 
how to construct an algorithm to distinguish the two 

probability ensembles DQR\ — {DQRi(l k )}ken and 

DQR 2 d = {DQR 2 {l k )} k &m which are formulated as 
follows. 

. DQR 1 {l k ): N 4- Gen(l fc ), x e v J N , finally outputs 

(N,x). 
. DQR 2 (l k ):N<r-Gen{l k ), r £u Z* N ,x^r 2 mod AT, 

finally outputs (N,x). 

The DQR assumption is that there is no efficient 
algorithm solving the problem. That is, it is assumed 
that DQR X = DQR 2 . 

As in section 17.31 the hash system we aim to achieve 
is an instantiation of e-UPHDH. We will build it on 
an instantiation of e-VUPH presented by |32] which is 
constructed under DQR assumption. Considering the 
space, we do not iterate the instantiation of e-VUPH 
here, and directly present our instantiation of e-UPHDH 
as follows. 



PG(l fc ): (p,q) €u (P,P), where \p\ 



k, p < 



q < 2p-l,p = q = 3 mod 4, a £(/ Z* N ,T^- 2 ri °s JV "', 
g 4— a 2T mod N, A 4— (N, g), finally outputs A. 
. IS(l k ,A,8): (N,g) 4- A, r e v Z N , x 4- g r mod AT, 
x 4— N — g r mod N, w 4— r , finally outputs (x, w) 
if 6 = 0, (x,w) if 6 = 1. 

* DI(l k , A, x, w): (N, g) 4- A, r 4- w; checks that N > 
2 2k , g, x £ Z* N . Outputs 0, if x = g r mod A^ and all 
the test pass. Outputs 1, if x = N — g r mod A^ and 
all the test pass. 

. ATG(l fe ,A,x): (N,g) 4- A, hk £ v Z N , pk 4- g hk 

mod AT, finally outputs (hk,pk). 
. Hash(l k ,A,x,hk): (N,g) 4- A, y 4- x hk mod N, 

finally outputs y. 

• pHash(l k , A, x,pk, w): {N,g) 4— A, y 4- pk w 
mod AT, finally outputs y. 

Theorem 46. Assuming DQR is a hard problem, the hash 
system is a e-UPHDH, where e < 1. 

This theorem can be proven in a similar way in which 
Theorem l45l is proven. 
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